From owner-freebsd-questions@FreeBSD.ORG Wed Jun 16 00:33:34 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D52E16A4CE for ; Wed, 16 Jun 2004 00:33:34 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E532643D2F for ; Wed, 16 Jun 2004 00:33:33 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 93F95260F5D; Wed, 16 Jun 2004 01:33:04 +0100 (BST) Message-ID: <40CF953A.9030304@lineone.net> Date: Wed, 16 Jun 2004 01:32:58 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: FreeBSD Questions References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 00:33:34 -0000 JJB wrote: >Fundamentally his keep-state rules work and yours don't. > I have used his script exactly, modifying only for the differences in my ISP's addresses. Everything works as before, and still the check-state rule is showing zero packets and zero bytes, even though keep-state rules have been triggered. Are you sure this is not just a quirk of IPFW? > The use of >the skipto rule to control what ip address goes into the dynamic >keep-state table, IE the lan ip or the natd public ip. The bottom >line is native ipfw with natd and stateful rules does not work >together at all, unless you do some gymnastics with skipto rule so >the dynamic keep-state table always has the private lan ip address >for matching against. > Yes, this is the mechanism I cannot find a clear explanation for. Can you recommend a link to a page that defines how IPFW stumbles on NAT and keep-state, because I've read and re-read the IPFW man page, and it does me no good whatsoever. > If you want the max in firewall protection you >need stateful rules to monitor the bi-directional exchange of >session packets conversation so forged packets can not be inserted. > > I agree. >My recommendation is to scrap your rule file and use the posted >archive example with changes for your network. Like the 2 lan nic >cards, lo0 interface, and the correct public facing nic card >interface for the via interface name. > I've done that. Much better ruleset, but I still cannot see how it is handling NAT + keep-state any differently. > Second problem is you are >allowing every thing out your firewall. This is very bad as it >allows out any trojons or spy-ware from windows boxs on your lan so >thet can report their harvested info to the person who planted them. >Take control of your firewall and only allow out the exact services >you know you are using. > No arguments there. I'm running ZoneAlarm on all Windows boxes, but it's still better to aim for traffic to be killed on sight by the router. -- Bob