Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Jun 1998 00:42:19 -0700 (PDT)
From:      Doug White <dwhite@resnet.uoregon.edu>
To:        carl.p.edwards@usa.net
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: NAT and IPFW security
Message-ID:  <Pine.BSF.3.96.980612003818.11999X-100000@resnet.uoregon.edu>
In-Reply-To: <19980607145830.13113.qmail@www02.netaddress.usa.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 7 Jun 1998 carl.p.edwards@usa.net wrote:

> Hi,
> 
>    Consider this network:
> 
>  ---------------
> | I-net router  |
> | 123.123.123.1 |
>  ---------------
>      |
>      |
>      |     ---------------------------        -----------
>      |    |          "eagle"          |      | "sparrow" |
>      >----| 123.123.123.2    10.1.1.1 |------| 10.1.1.2  |
>      |    | [ed0]               [ed1] |      |           |
>      |     ---------------------------        -----------
>      |
>      |
>      |     ---------------
>      |    | "falcon"      |
>      >----| 123.123.123.3 |
>      *     ---------------

Excellent ASCII-gram, thanks!

> All computers are running FreeBSD 2.2.6. The server "eagle" is running
> NAT. The way I figured is that if "falcon" was set to have 123.123.123.2
> as its default gateway rather than 123.123.123.1 a user on falcon would
> be able to access "sparrow" simply by telnetting or whatever to
> 10.1.1.2. Now if this rule was applied on "eagle": 

Not true.  Net10 is hidden behind eagle; falcon would have to know to
route 10.x through eagle, which invokes the natd translation.  

>    1000 deny all from 123.123.123.1/24 to 10.1.1.1/24 via ed0

The problem with this rule is that it will defeat the natd trnaslation by
blocking the generated packets.  I think.  I don't know if the `via' info
is kept after the reinjection of the natd-translated packets.

> I'm not 100% clear on how IPFW and NAT works together so any help would
> be appreciated. 

ipfw simply provides the conduit to natd.  The `divert' rule is the key to
gluing the two together. Packets that match the divert rule get
natd-translated, then reinjected into the packet stream at the top, but
ignore divert rules on their second pass through.  

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980612003818.11999X-100000>