IPFW: combining "divert natd" with "keep-state"
subscriber at insignia.com
Wed Jun 18 06:32:04 PDT 2003
On Wed, 11 Jun 2003 13:21:07 +0100, in local.freebsd.security you
>## Example ##
>fxp0 = external nic
>xl0 = internal nic
>internal network = 10.10.10.0/24
>internal traffic NAT'd to 184.108.40.206
>## handle nat traffic
>100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
>200 divert 8668 ip from any to 220.127.116.11 in via fxp0
>## dynamic rules for internal clients access to everything
>## needed so un-nat'd return traffic can flow out the
>## internal nic to the internal clients
>400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
>500 allow udp from 10.10.10.0/24 to any keep-state via xl0
>## dynamic rules allow natd alias address access to
>## external resources
>600 allow tcp from 18.104.22.168 to any keep-state out via fxp0
>700 allow udp from 22.214.171.124 to any keep-state out via fxp0
This appears to work but I am at a loss to understand how!
If I follow one TCP packet all the way out to the Internet and
its reply back to the internal net, there are four ipfw trips:
A - request packet incoming on xl0
B - request packet outgoing on fxp0
C - reply packet incoming on fxp0
D - reply packet outgoing on xl0
Trip A matches rule 400 and is accepted, creating a dynamic
rule which will match trip D.
Trip B first matches rule 100, gets rewritten by natd then
matches rule 600 and is sent, creating a dynamic rule
matching a reply to 126.96.36.199.
Trip C is the problem. It matches rule 200 so gets rewritten,
and now does not match the dynamic rule created by trip B
since that matches packets with 188.8.131.52 as destination
address, which this packet no longer has. None of the other
rules match either, so it is dropped.
So how can it work?????
This is the problem I have always been struggling with,
ie should the dynamic rules match the incoming packets
before or after they have been rewritten by natd to have
their final destination address.
I have always had the equivalent of "pass all from any
to any via xl0", which replaces the dynamic rule created
by trip A and used by trip D, but this doesn't alter
More information about the freebsd-security