keep-state and in-kernel NAT exposes local ip on external interface
bycn82
bycn82 at gmail.com
Tue Jul 28 06:50:02 UTC 2015
for me. i am totally dont understand all these. waiting dor example as
well
On Tuesday, July 28, 2015, Ian Smith <smithi at nimnet.asn.au> wrote:
> Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote:
> > On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote:
> >
> > It is good example for my changes :) All this "skipto / keep-state"
> > magic is not understandable.
>
> Indeed. So all we're waiting for, Lev, is some simple usage examples of
> how things should be done with your new stateful operators, especially
> when combining stateful rules with NAT. Please see what you can do ..
>
> I know it's clear to you, but I for one cannot get my head around these
> without a couple of examples, roughly suitable for inclusion in ipfw(8)
> EXAMPLES section. Rough illustrations would do fine at first.
>
> In the problems shown lately, including the one below (harder to read
> with the quoting wrapped like that!) it seems the problem of keepalives
> being issued using the internal address would not occur if keep-state
> was only applied _after_ NAT, only on the already-translated source
> address, but like you and apparently many others, I find these rulesets
> very difficult to follow in terms of different possible flows.
>
> cheers, Ian
>
> > > On FreeBSD 10.1p13 with two interfaces em0(internet) and em1(lan) I
> > > can fish (tcpdump)packets on em0 which have escaped the in-kernel
> > > NAT and have as source address an IP on the LAN.
> > >
> > > This should not happen and I can confirm that with pf this is not
> > > the case. I have the following ipfw rules:
> > >
> > > nat: ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset
> > >
> > > 00100 reass ip from any to any in 00200 allow ip from any to any
> > > via lo0 00300 allow ip from any to any via em1 00400 nat 123 ip
> > > from any to any in recv em0 00500 check-state 00600 skipto 24000 ip
> > > from any to me dst-port 80,443,22,500,4500,1194,993,8112 in recv
> > > em0 keep-state 00700 skipto 24000 ip from any to any out xmit em0
> > > keep-state 00800 deny log ip from any to any 24000 nat 123 ip from
> > > any to any out xmit em0 24100 allow ip from any to any
> > >
> > > Contrary to many online tutorials, including the example of the
> > > handbook regarding NAT (
> > > https://www.freebsd.org/doc/handbook/firewalls-ipfw.html), when
> > > one places the NAT rules with the opposite order (i.e. outbound
> > > rule first and then the inbound rule) the problem disappears.
> > >
> > > i.e. ... 00400 nat 123 ip from any to any out xmit em0 ... 24000
> > > nat 123 ip from any to any in recv em0 ...
> > >
> > > Why is this happening? Any objections to reversing the order of the
> > > NAT rules?
>
> > - --
> > // Lev Serebryakov
> _______________________________________________
> freebsd-ipfw at freebsd.org <javascript:;> mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org
> <javascript:;>"
>
More information about the freebsd-ipfw
mailing list