Statefull filtering with IPFW + IPFilter (was: Packet flow through
IPFW+IPF+IPNAT)
Vandyuk Eugene
duke at irpen.kiev.ua
Wed Jun 4 08:54:52 PDT 2003
On Mon, Jun 02, 2003 at 08:11:40PM -0300, Fernando Gleiser wrote:
> On Mon, 2 Jun 2003, Vlad GALU wrote:
>
> > Example one: IPF is compiled in kernel, IPFW is a module. In this case
> > IPFW stands 'outside' of IPF.
> > Example two: viceversa: the order in which they take action is reversed
> > too.
>
> Are you sure? Last time I saw the code (almost a year ago) it didn't
> make a difference if they were loaded as modules or compiled in kernel.
> The hooks were in the same place.
>
> > IPNAT is always 'outside' IPF.
>
> Or, in other words, IPF always 'sees' the real IPs, not the NATed ones.
>
I have done some tests with IPFW and IPF compiled in kernel and I was
confused. Packet flow was:
OUTGOING: IPF -> IPNAT -> IPFW
INCOMING: IPNAT -> IPF -> IPFW
As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?!
Rules matching in IPFW look very strange:
add count ip from NAT_IP to any out
add count ip from any to REAL_IP in
but in IPFilter it looks good:
permit out from REAL_IP to any
permit in from any to REAL_IP
So I sugest that in kernel with IPFW+IPF compiled statefull filtering
not work in IPFW but only work in IPFilter ???
I think it's wrong and it should be corrected in this way:
OUTGOING: IPF -> IPNAT -> IPFW
INCOMING: IPFW -> IPNAT -> IPF
This flow of packets will give IPFW work with right statefull filtering
on NAT'ed packets via IPNAT. IPFW would always be 'outside' IPNAT. Also
this way will give more capabilities for building firewalls with all
power and flexibility of IPFW and IPFilter in one kernel.
With respect. Eugene.
More information about the freebsd-security
mailing list