Date: Sun, 17 Feb 2002 12:23:59 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: <cjclark@alum.mit.edu> Cc: "FBSD" <freebsd-questions@FreeBSD.ORG>, <cvarda@flopnet.com.br>, "Patrick Soltani" <psoltani@ultradns.com> Subject: RE: IPFW check-state rules Message-ID: <LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish@a1poweruser.com> In-Reply-To: <20020217080858.P48401@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist you wrote this.
I am saying it is difficult to get ipfw(8) 'keep-state' to work well
with natd(8). It may not be worth it for many users. It does not
provide additional protection.
You are way out in no where land with that statement.
I have read you stating in other posts that keep-stated provides
much better security. And if keep-state did not provide better firewall
security then why would somebody take the time to write it?
Well I killed natd and user ppp and restarted user ppp with -nat flag
and now the rules in the outbound section of my rules set as posted
here early, minis the divert rule are functioning. The correct answer to
my original question was to get rid of natd from the ipfw rules set and
use the user ppp nat function.
The only thing remaining to do is test each rule one at a time to be
sure all the rules are functioning as desired.
A very large Thank you to all who responded to me question.
-----Original Message-----
From: Crist J. Clark [mailto:crist.clark@attbi.com]
Sent: Sunday, February 17, 2002 11:09 AM
To: Joe & Fhe Barbish
Cc: Patrick Soltani; cvarda@flopnet.com.br
Subject: Re: IPFW check-state rules
On Sun, Feb 17, 2002 at 10:04:21AM -0500, Joe & Fhe Barbish wrote:
> Crist
> Read your reply many, many times and the only conclusion
> I come to is you are trying to say that the advanced
> check-state function of IPFW does not work with natd(8).
I am saying it is difficult to get ipfw(8) 'keep-state' to work well
with natd(8). It may not be worth it for many users. It does not
provide additional protection.
> That if I had static ip addresses from my ISP assigned to my
> lan machines the advanced check-state function of IPFW would
> function as advertised.
> [IE: there would be no 'divert natd all from any to any' rule
> in the ipfw rule set].
ipfw(8) 'check-state' works fine. At issue is how a ruleset with
'keep-state' rules and a 'divert' rule to natd(8) functions as a
whole.
> This explains why my check-state/keep-state rule set only
> functions correctly for packets originating from the FBSD box
> where the ipfw/natd is running.
Yep.
> This sure looks like a design error in ipfw.
It is due to the fact that ipfw(8) is totally independent from
natd(8) and knows nothing about natd(8). natd(8) messes with the
source and destination addresses of packets and there is no way for
ipfw(8) to know about it.
> So what if I turn off natd(8) and turn on Nat of user ppp,
> remove the 'divert natd all from any to any' from my ipfw rule set,
> will it work them?
Actually, yes, it should. ppp(8) does its NAT after packets leave the
firewall on the way out and before they enter on the way in.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish>