Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 17:29:37 -0400
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "Luigi Rizzo" <rizzo@icir.org>
Cc:        "Crist J. Clark" <cjc@FreeBSD.ORG>, "FBIPFW" <freebsd-ipfw@FreeBSD.ORG>, <archie@whistle.com>, <cmott@scientech.com>, <perhaps@yes.no>, <suutari@iki.fi>, <dnelson@redwoodsoft.com>, <brian@awfulhak.org>, <ru@FreeBSD.ORG>
Subject:   RE: natd & keep-state
Message-ID:  <MIEPLLIBMLEEABPDBIEGIEGCCHAA.barbish@a1poweruser.com>
In-Reply-To: <20020803125847.B2239@iguana.icir.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Luigi
 First of all my intention was never to provoke any kind of hard feelings.
I do not understand why keep-state and natd behave the way they do.

I interpret your statement,

stateful rules do, in terms of filtering, pretty much the same work
that natd and "ppp -alias" do (the latter two using the same library,
namely libalias). You may want them when you don't use natd/ppp-alias,
and you certainly don't want them when you use natd/ppp-alias.

To mean that

The Keep-state option is intended to only be used when the natd
function is not used.
That natd combined with stateless rules result in the same level of
session conversation statefullness as the keep-state option achieves
when used with out natd.

If this is the correct interpretation, then the man page info on the
keep-state option needs to be changed to point out this limitation about
the correct usage of the keep-state option.

And in the same light the natd man page info needs to be changed to
come right out an say that natd combined with stateless rules result in
a IPFW firewall being totally aware of the statefullness of the complete
bi-directional packet exchange of the session conversation so
fraudulent packets can not be inserted into the session
conversation undetected.

Do you agree?


-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Luigi Rizzo
Sent: Saturday, August 03, 2002 3:59 PM
To: Joe & Fhe Barbish
Cc: Crist J. Clark; FBIPFW; archie@whistle.com; cmott@scientech.com;
perhaps@yes.no; suutari@iki.fi; dnelson@redwoodsoft.com; brian@awfulhak.org;
ru@FreeBSD.ORG
Subject: Re: natd & keep-state

I have tried to stay out of this pointless thread, but given that I
have been indirectly mentioned

> ...
> The author of the keep-state option saw the need in ipfw to provide a
> more complete security protection of the bi-directional exchange of
> packets during the session conversation so fraudulent packets could not
> ...

stateful rules do, in terms of filtering, pretty much the same work
that natd and "ppp -alias" do (the latter two using the same library,
namely libalias). You may want them when you don't use natd/ppp-alias,
and you certainly don't want them when you use natd/ppp-alias.

I see no point in trying to write ipfw rulesets to make keep-state
and natd work together, as it gives you absolutely no additional
protection. Nor i see any obligation for anyone to prove or disprove
that they can work together.

It can be done, it is non trivial, and you need to have a very good
understanding on how packets flow through the protocol stack.  It
is slightly easier to make stateful ipfw rules work together with
"ppp -alias" because the latter does not reinject packets into the
protocol stack as natd does. But other than that, there is no
bug in ipfw or natd related to this issue.

If what you are claiming is that we need in-kernel nat functionality,
yes we do, so would you like to write one ? Otherwise just be quiet
and patient and wait until someone comes up with one.

> Help me get the people you know who maintain natd & ipfw to participate.
> They have to look into the ipfw/natd source code to design a solution.
> Maybe this change can be combined/included with the ipfw2 effort.

Continuously posting the same email to the list is just going to
provoke the opposite of what you want. And you have already succeeded
with me.

        out of this thread.
        luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIEGCCHAA.barbish>