IPFW: combining "divert natd" with "keep-state"
Greg Panula
greg.panula at dolaninformation.com
Wed Jun 11 05:21:11 PDT 2003
Subscriber wrote:
>
> I've been using ipfw for a while to create a router with NAT
> and packet filtering, but have never combined it with
> stateful filtering, instead using things like "established" to
> accept incoming TCP packets which are part of a conversation
> initiated from the "inside".
>
> I'd like to move to using keep-state/check-state to get tighter
> filtering and also to allow outgoing UDP and the replies, which
> currently I block.
>
> But I just can't get my head around how to do this. On the way
> out, should the dynamic rules be created to match the pre-NAT
> or post-NAT packets?
>
> The man pages are good at explaining both NAT and dynamic
> rules but not both in combination.
>
## Example ##
fxp0 = external nic
xl0 = internal nic
internal network = 10.10.10.0/24
internal traffic NAT'd to 1.2.3.4
## handle nat traffic
100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
200 divert 8668 ip from any to 1.2.3.4 in via fxp0
300 check-state
## dynamic rules for internal clients access to everything
## needed so un-nat'd return traffic can flow out the
## internal nic to the internal clients
400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
500 allow udp from 10.10.10.0/24 to any keep-state via xl0
## dynamic rules allow natd alias address access to
## external resources
600 allow tcp from 1.2.3.4 to any keep-state out via fxp0
700 allow udp from 1.2.3.4 to any keep-state out via fxp0
You should also run natd with the "-deny_incoming" flag as an extra
defense against bogus packets.
good luck,
greg
More information about the freebsd-security
mailing list