IPFW with NAT and keep-state

Robert Downes nullentropy at lineone.net
Mon Jun 14 07:12:01 PDT 2004


There seems to be confusion as soon as IPFW is used for NAT and for 
stateful dynamic rules.

My ruleset so far contains the below rules, and I wonder if someone can 
tell me if there's anything incorrect about them (with regard to 
correctly using NAT and dynamic rulesets):

bash-2.05b# ipfw -a list
00100 3155 1100714 divert 8668 ip from any to any via rl0
00200    0       0 check-state
00300  200   25128 allow ip from me to me
00400 1991  131910 allow ip from 192.168.0.0/24 to any keep-state
00500 3928 2038665 allow ip from 192.168.1.0/24 to any keep-state
65535    1     338 deny ip from any to any

I'm not asking if these rules are battleship secure - I'm sure I have a lot of work to do yet in creating a tigher ruleset. What I want to know is: are these rules correctly allowing NAT to work with dynamic rules, or is there some gaping security flaw that I'm missing?

With the above rules, I can use the gateway machine to connect to the Internet (well, any website of my choice), and I can also use a machine on the 192.168.1 subnet to connect through the gateway to any website, mail server, etc. So NAT seems to be working.

If I remove the keep-state option from the 192.168.1 line, then the LAN machine can send a request to a website, but never gets a reply. Removing the keep-state from the 192.168.0 line stops the gateway asking for pages. So the dynamic rule system seems to be working.

So it would seem that NAT and dynamic rules are working harmoniously together. But how naive am I being? What might I be missing?

Also, if I have got them working together correctly, why do I end up with a lot of packets denied by the `deny ip from any to any` rule? What are these few packets, and what tried to send them? Any ideas?

(By The Way... I remember why I stopped using Usenet all those years ago - have you seen what's being done to c.u.b.freebsd.misc lately? Not the correct way to promote Windows and discredit Linux.)
-- 
Bob



More information about the freebsd-questions mailing list