From owner-freebsd-security Tue Aug 7 10: 7:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.roe35.lth2.k12.il.us (unknown [209.175.240.58]) by hub.freebsd.org (Postfix) with ESMTP id 21B8937B409 for ; Tue, 7 Aug 2001 10:07:37 -0700 (PDT) (envelope-from dallen@roe35.lth2.k12.il.us) Received: from dougs_laptop (dougs_laptop [209.175.240.20]) by mail.roe35.lth2.k12.il.us (8.9.3/8.9.3) with ESMTP id MAA43627; Tue, 7 Aug 2001 12:11:36 -0500 (CDT) (envelope-from dallen@roe35.lth2.k12.il.us) Message-ID: <200108071213090935.01249DF0@mail.roe35.lth2.k12.il.us> In-Reply-To: References: X-Mailer: Calypso Version 3.00.01.02 (1) Date: Tue, 07 Aug 2001 12:13:09 -0500 From: "Douglas G. Allen" To: "Max Clements" Cc: freebsd-security@freebsd.org Subject: RE: ipfw question Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Max, >I am assuming you mean on both interfaces, on my machine i use aliases as >well with the port-redirect statement to natd, and I set the IPFW rules up >using the via rl0 (my external) interface format. I want to use ipfw to filter on both the true interface (fxp0) and the= alias. I'm not using NAT at all. I'm using public addresses. >I must confess, I have battled with the same problem - and I have not= managed >to get the functioning of IPFW and NATD clear in my head, what I do know= is >that IPFW uses divert(4) sockets to divert all ip traffic to NATD *before*= it >processes any rules. This means that all ipfw rules that you use in your >firewall should refer to the translated addresses and not the public >addresses, as natd rewrites the packets after the divert and then hands= them >back to ipfw at the rule number following the divert rule. To illustrate= my >point , here are thefirst few rules from my firewall > >[46] root@mufasa:/usr/local# ipfw list >00050 divert 8668 ip from any to any via rl0 >00100 allow ip from any to any via lo0 >00200 deny ip from any to 127.0.0.0/8 >00300 deny ip from 127.0.0.0/8 to any >00400 deny log logamount 100 ip from 172.16.0.10 to any via rl0 >00500 deny log logamount 100 ip from 192.168.0.0/16 to any via rl0 If I were using natd, I understand that I have to use the translated= addresses. Maybe I do need to look at the alias as a translation and use= the via fxp0 in the rules. I haven't done so up to this point, because I= hoped to have a set of rules with two real interfaces. That got changed= to two IP's on one interface. At any rate, it's given me something else= to think about and try. >NATD hands packets back at rule 100 after translation, this translation is >performed on all the alias addresses according to the nat config. This I think I understand, because the translation occurs before the rules= are tested. >Hope this helps, as it was something that really tripped me up until I >started to log ALL packets - which was a daunting task... Now that I see it, I think it needs to have the via clause on the rules for= the alias, since it is going through the real interface. The best thing I= can think of is to go try it and see if it works. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message