From owner-freebsd-ipfw Sat Aug 3 12:58:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9C6937B400; Sat, 3 Aug 2002 12:58:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74D8F43E42; Sat, 3 Aug 2002 12:58:49 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g73Jwlr02402; Sat, 3 Aug 2002 12:58:47 -0700 (PDT) (envelope-from rizzo) Date: Sat, 3 Aug 2002 12:58:47 -0700 From: Luigi Rizzo To: Joe & Fhe Barbish Cc: "Crist J. Clark" , FBIPFW , archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.ORG Subject: Re: natd & keep-state Message-ID: <20020803125847.B2239@iguana.icir.org> References: <20020803070339.GC47529@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from barbish@a1poweruser.com on Sat, Aug 03, 2002 at 02:18:14PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have tried to stay out of this pointless thread, but given that I have been indirectly mentioned > ... > The author of the keep-state option saw the need in ipfw to provide a > more complete security protection of the bi-directional exchange of > packets during the session conversation so fraudulent packets could not > ... stateful rules do, in terms of filtering, pretty much the same work that natd and "ppp -alias" do (the latter two using the same library, namely libalias). You may want them when you don't use natd/ppp-alias, and you certainly don't want them when you use natd/ppp-alias. I see no point in trying to write ipfw rulesets to make keep-state and natd work together, as it gives you absolutely no additional protection. Nor i see any obligation for anyone to prove or disprove that they can work together. It can be done, it is non trivial, and you need to have a very good understanding on how packets flow through the protocol stack. It is slightly easier to make stateful ipfw rules work together with "ppp -alias" because the latter does not reinject packets into the protocol stack as natd does. But other than that, there is no bug in ipfw or natd related to this issue. If what you are claiming is that we need in-kernel nat functionality, yes we do, so would you like to write one ? Otherwise just be quiet and patient and wait until someone comes up with one. > Help me get the people you know who maintain natd & ipfw to participate. > They have to look into the ipfw/natd source code to design a solution. > Maybe this change can be combined/included with the ipfw2 effort. Continuously posting the same email to the list is just going to provoke the opposite of what you want. And you have already succeeded with me. out of this thread. luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message