IPFW: combining "divert natd" with "keep-state"
Jim Hatfield
subscriber at insignia.com
Fri Jun 20 03:40:58 PDT 2003
On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you
wrote:
>: ipfw -f flush
>: ipfw add 100 divert natd ip from any to any via rl0 in
>: ipfw add 200 check-state
>: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0
>: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0
>: ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state
>: ipfw add 500 divert natd ip from any to any out via rl0
>: ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0
>: ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0
>: ipfw add 65000 allow ip from any to any
Tricky indeed.
I've been playing with the rules suggested by Greg Panula,
but I don't really like them for a couple of reasons:
- I prefer to keep the internal interface open. I often
telnet into the router and keep the session open and
inactive for hours, and the dynamic rules time out and
kill it.
- a rule is created which is never used, ie the outgoing
packet starting a conversation creates two rules, only
one of which is used in the check-state to match incoming.
So I will try out your set. But one question first: do you
ever get hits on the second rule 300? I would have thought
it very difficult for anyone to route a packet to you with
a non-routable destination address. Surely only your ISP
could do that?
Jim
More information about the freebsd-security
mailing list