IPFW: combining "divert natd" with "keep-state"

Jim Hatfield subscriber at insignia.com
Tue Jun 24 09:56:11 PDT 2003 

On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you
wrote:

>
>Attached is the conversation I had with Luigi Rizzo exactly
>three years ago on this topic.  Maybe it is still helpful.

Well it was indeed. The use of skipto was the clue. I didn't
go with any of the setups suggested but rolled my own using
that idea. Here it is, in use so far for four days with no
problems:

>#!/bin/sh
>#
># rc.firewall for NAT'ing firewall router - dynamic rules version.
>#
># JPH -- 20th Jun 2003 Created.
>#
>fw="/sbin/ipfw -q"
>#
># Interface and address definitions
>#
>eint=rl0                                # External interface
>iint=sis0                               # Internal interface
>inet="192.168.100.0/24"                 # Internal net
>#
># Clear existing ruleset
>#
>$fw flush
>#
># Transparent proxy: TCP packets to port 80 forwarded to Squid proxy
>#
>$fw add fwd 127.0.0.1,3128 tcp from $inet to any 80 in via $iint
>#
># Internal interface and loopback interface are open
>#
>$fw add allow ip from any to any via $iint
>$fw add allow ip from any to any via lo0
>#
># Packets still being processed are traversing the external interface
># De-NAT incoming packets to get back true destination address and port
>#
>$fw add divert natd ip from any to any in
>#
># Dynamic rules: all outgoing packets create dynamic rules which are matched
># by both outgoing and incoming. Matching packets skip to rule 10000
>#
>$fw add check-state
>$fw add skipto 10000 ip from any to any out keep-state
>#
># Here we handle unsolicited incoming packets. Allow selected ones in
># and block the rest. Our first reply will create a dynamic rule.
>#
>$fw add allow tcp from any to any 25 in setup
>$fw add allow icmp from any to any in icmptype 0,3,4,11
>$fw add allow udp from any 67 to 255.255.255.255 68 in
>$fw add deny log ip from any to any
>#
># Packets matched by dynamic rules are tested here.
># Since they have matched a rule they can be passed.
># Outgoing packets still need to be NAT'ed first.
>#
>$fw add 10000 divert natd ip from $inet to any out
>$fw add allow ip from any to any

I have a few extras in there that a "pure" router wouldn't
need, ie the forwarding of http to a Squid cache and the
acceptance of incoming SMTP, plus I have a Linksys DSL
modem/bridge which broadcasts DHCPACK packets once a 
minute so I let them in to avoid polluting the logs.

The driver behind this is that I wanted to be able
to pass UDP safely so I could then move on to get
linuxigd working, so I can use Windows Messenger 
to have free voice conversations with a friend a few
thousand miles away.

What a shame that when I finally get round to looking
at linuxigd I realise that it is written to use ipf
and not ipfw :-((

More information about the freebsd-security mailing list