IPFW and NATD
Robert Downes
nullentropy at lineone.net
Thu Mar 3 00:04:17 GMT 2005
Chico wrote:
>/etc/firewall.rules:
>add 200 pass all from any to any via lo0
>add 300 divert natd all from any to any via fxp0
>add 400 allow all from any to any 3389 keep-state
>
Well, I stopped using IPFW last month (month before?) and changed to PF
because it is quite feature-filled and fairly nicely documented (apart
from the gritty details of HFSC queuing). And I never ran any
publically-accessible services from my machine. But having said that...
I think the problem may be that you are using NAT but you are not
reflecting this in your ruleset. You see, NAT works by changing the
source port addresses of packets from your local network on the way out,
and it changes the destination port addresses of packets on the way back
into your local network. This happens at the point of the divert rule.
So when you say "any to any 3389", packets coming into your machine, you
have already activated NAT diversion, and the packets have been changed.
Which means that packets from the Internet destined for your port 3389
will have their destination port changed by NAT so that the public IP
address can be matched to a local IP address. So your rule to match port
3389 may never be matched, even by packets that the rule was created to
allow in.
I recommend you read up on how NAT works, so you bear it in mind in
future, and then look for the IPFW skipto 800 trick that I used to use
to get around NAT.
The trick is shown in the very last example on this page in The Handbook,
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
Basically, the "divert natd" rule is split into two: an inbound and an
outbound rule. The inbound NAT occurs early in the ruleset, so that you
can refer to local IP addresses correctly. For each rule that you want
to allow an outbound packet, you use "skipto 800" instead of "allow",
and at rule 800 you have the outbound NAT rule, so that outbound packets
are correctly re-addressed for the Internet. After that outbound NAT
rule, you allow all. This means you need a deny all rule just before
rule 800, so that anything that doesn't match is denied rather than NATd
and allowed.
Pretty nifty, but also pretty inelegant compared to the ruleset you'd
end up with if you were using PF. Having said that, IPFW served me well
for over a year before my itchy feet made me try out the alternative.
--
Bob
More information about the freebsd-ipfw
mailing list