Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 12:58:47 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Joe & Fhe Barbish <barbish@a1poweruser.com>
Cc:        "Crist J. Clark" <cjc@FreeBSD.ORG>, FBIPFW <freebsd-ipfw@FreeBSD.ORG>, archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.ORG
Subject:   Re: natd & keep-state
Message-ID:  <20020803125847.B2239@iguana.icir.org>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGIEFKCHAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Sat, Aug 03, 2002 at 02:18:14PM -0400
References:  <20020803070339.GC47529@blossom.cjclark.org> <MIEPLLIBMLEEABPDBIEGIEFKCHAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I have tried to stay out of this pointless thread, but given that I
have been indirectly mentioned

> ...
> The author of the keep-state option saw the need in ipfw to provide a
> more complete security protection of the bi-directional exchange of
> packets during the session conversation so fraudulent packets could not
> ...

stateful rules do, in terms of filtering, pretty much the same work
that natd and "ppp -alias" do (the latter two using the same library,
namely libalias). You may want them when you don't use natd/ppp-alias,
and you certainly don't want them when you use natd/ppp-alias.

I see no point in trying to write ipfw rulesets to make keep-state
and natd work together, as it gives you absolutely no additional
protection. Nor i see any obligation for anyone to prove or disprove
that they can work together.

It can be done, it is non trivial, and you need to have a very good
understanding on how packets flow through the protocol stack.  It
is slightly easier to make stateful ipfw rules work together with
"ppp -alias" because the latter does not reinject packets into the
protocol stack as natd does. But other than that, there is no
bug in ipfw or natd related to this issue.

If what you are claiming is that we need in-kernel nat functionality,
yes we do, so would you like to write one ? Otherwise just be quiet
and patient and wait until someone comes up with one.

> Help me get the people you know who maintain natd & ipfw to participate.
> They have to look into the ipfw/natd source code to design a solution.
> Maybe this change can be combined/included with the ipfw2 effort.

Continuously posting the same email to the list is just going to
provoke the opposite of what you want. And you have already succeeded
with me.

	out of this thread.
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020803125847.B2239>