Date: Mon, 29 Jul 2002 14:47:58 +0000 From: Philip Reynolds <philip.reynolds@rfc-networks.ie> To: freebsd-ipfw@freebsd.org Subject: 4.6-RELEASE / NATD + IPFW + keep-state Message-ID: <20020729144758.A11849@rfc-networks.ie>
next in thread | raw e-mail | index | archive | help
Hi,
I'm having a few problems with using natd and ipfw.
Originally, I was having serious serious problems trying to get
stateful firewalling working with NAT.
Currently my setup is the following:
Public Interface: xl0
Interface address: 10.0.0.1
Subnet mask: 255.255.255.0
Private interface: xl1
Interface Address: 10.0.1.1
Subnet mask: 255.255.255.0
I am doing NAT on anything going out through xl0 from 10.0.1.0/24.
However, I want a default DENY policy, with a few stateful rules to
allow ssh, http-proxy and smtp (just common examples, I have plenty
more contrived wishes once this is up and working).
divert 8668 ip from any to any
check-state
allow ip from 10.0.1.0/24 to 10.0.1.0/24 via xl1
allow tcp from any to not 10.0.1.0/24 22 keep-state setup
deny ip from any to any
After quite a lot of painful testing, I came up with the above
rules.
1. NAT everything going through xl0 (this can be refined later)
2. check the state of the packet.
3. allow stuff through on in inside interface, from a machine on the
inside network to another machine on the inside network.
4. allow a setup packet (SYN but no ACK) from machine on inside
network to a machine on the outside network (to a port of 22), and
keep it's state.
5. Deny everything else
This works, but not the way it should, as I'll explain below.
Once a connection is made to the machine, ``ipfw -d list'' brings up
the following in it's dynamic ruleset.
00100 11 726 (T 19, slot 137) <-> tcp, 10.0.0.56 3245<-> 10.0.0.10
22
00100 33 3958 (T 299, slot 179) <-> tcp, 10.0.1.2 3245<-> 10.0.0.10
22
There are two connections showing and the first is actually a SYN
packet, while the second is an ACK. How it's obvious (at least to
me) is the value beside the T (i.e. the timeout value). The first,
counts down from 20, the second from 300 (the default values of
net.inet.ip.fw.dyn_syn_lifetime and net.inet.ip.fw.dyn_ack_lifetime
respectively)
Basically, in ssh-like connections, this means pumping up
net.inet.ip.fw.dyn_ack_lifetime _AND_
net.inet.ip.fw.dyn_syn_lifetime, which I'm a little wary of.
Is what's happening OK? Is there a different way I could order/write
the ruleset to have some "normal" stateful connections.
i.e.
Packet comes in on inside interface.
Packet matches access rule with keep-state option and gets added to
dynamic ruleset
Packet NAT'd
Packet comes in on outside interface
Packet gets NAT'd
Packet matches check-state rule
If anyone has any light to shed on the subject I would be very
grateful. I've spent the last 2 hours or so digging up material
(there's not a whole lot) on ipfw/nat/stateful firewalling,
searching the archives etc. but nothing that will explain the above
behaviour or give me a working alternative.
Regards,
--
Philip Reynolds | Technical Director
philip.reynolds@rfc-networks.ie | RFC Networks Ltd.
http://www.rfc-networks.ie | +353 (0)1 8832063
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020729144758.A11849>