Policy routing with IPFW

[Crist J. Clark]

On Thu, Apr 15, 2004 at 03:39:45PM -0700, Stephen Gill wrote:
> Hi David,
> 
> Well, that might be a half a step closer... I just tried this
> combination with a 50% success rate :).  Inbound connections work quite
> well, but connections originating from the box itself do not work.  
> Any ideas as to how to make this rulebase work with policy routing for
> outbound connections as well?
> 
> I think it is interfering with the dynamic rules.  ICMP appears to
> work, but that is all.   I would like to still use the dynamic
> capabilites of stateful filtering if possible.

That is a problem with your setup since 'fwd' rules match and exit.
So what happens is,

> # POLICY ROUTING
> ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET}
> ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any

Packets match here and go out.

> ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET}
> ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any

Or match here and go out.

Which means they never reached these:

> # Allow from me to anywhere
> ${fwcmd} add 240 allow tcp from me to any setup keep-state
> ${fwcmd} add 260 allow udp from me to any keep-state
> ${fwcmd} add 280 allow icmp from me to any

This also will mess with stateful connections (TCP) coming in since
the responses never get seen by the dynamic rules.

For incoming connections, using dynamic rules is actually bad for
security in the first place, so dropping that is not a problem.

For the outgoing traffic... problem.

  $fwcmd add fwd ${IP1-GW} tcp from me to any setup keep-state

Won't work since applying a 'fwd' to the returning traffic is
a bad idea (routing loop).
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org