Date: Mon, 15 Dec 1997 21:55:53 +0000 From: Brian Somers <brian@awfulhak.org> To: Font <font@Mcs.Net> Cc: questions@FreeBSD.ORG Subject: Re: natd and ipfw, how do they work together? Message-ID: <199712152155.VAA10644@awfulhak.demon.co.uk> In-Reply-To: Your message of "Mon, 15 Dec 1997 10:34:00 CST." <Pine.BSF.3.95.971215102011.19342B-100000@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am a typical user of natd, using a machine with two interfaces to
> connect my private network with the Internet. I am also using the ipfw
> firewall software. This is all under 2.2.5-RELEASE.
>
> My question is, if I let a few machines on the private network access the
> Internet (but not others), how do I make sure that the firewall still
> functions when I am using natd?
>
> For instance, let's say an internal nameserver at 192.168.1.1 is allowed
> to get out to the Internet for DNS queries, using the firewall/gateway at
> 192.168.1.2. I would allow this with
>
> ipfw add divert natd udp from 192.168.1.1 to any 53 via fxp1
>
> where fxp1 is my outside interface on the firewall running ipfw. But when
> I want the result to come back, I have to send the packet back through
> natd again for translation. Until it's translated, though, I don't know
> what host it's for! Therefore something like
>
> ipfw add divert natd udp from any to 192.168.1.1 53 via fxp1
>
> won't work, because until natd translates fxp1's IP to 192.168.1.1, such a
> rule has no meaning. Hence my question.
>
> When natd does its translation, is the translated packet resent as if it
> came from the outside again, only with internal addresses properly
> inserted? Or after a packet goes through natd, does it just go to its
> destination without delay?
>
> If the latter is the case, then I really need two firewalls, one to
> prevent unauthorized traffic from leaving the network, and one to perform
> natd on and to prevent unauthorized traffic from entering the network.
>
> This is a pretty new experience for me, as we just got our T1, so if I've
> explained anything badly, please feel free to ask for more details.
Each incoming packet is subjected to the firewalling rules. When one
of these rules says ``divert'', the packet is sent to natd and no
further firewall rules are applied. The kernel is finished with the
packet.
If natd chooses to re-insert the packet into the incoming packet
stream (which it always does), it's again subjected to the
firewalling rules, but *ignoring* the divert this time 'round.
The result is that if you put the divert rules at the start of your
ipfw list, the remaining rules get to see the un-aliased packet.
There are some regular arguments about whether the re-inserted packet
should be only subjected to the rules *after* the divert....
Either way, IMHO, you should always put your divert rules first, then
you get to firewall what's *actually* being routed rather than what
it looks like to the outside world.
Outgoing packets are basically the same. Divert them first and
you'll get to firewall the real scenario rather than the fake
``outside world'' view.
> Thanks,
>
> dw
>
> A bug in my MUA causes news.announce.newusers font
> to be sent to beneficiaries and senders of UCE/SPAM. @
> mcs.net
> Wishes are like dishes.
>
--
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
<http://www.Awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712152155.VAA10644>