need ipfw clarification

Bill Moran wmoran at potentialtech.com
Fri Feb 4 13:40:19 PST 2005 

I'm confusing natd forwarding with IPFW forwarding.

My apoligies for posting incorrect information, and thanks to Julian for
correcting me.

Julian Elischer <julian at elischer.org> wrote:
> 
> Bill Moran wrote:
> 
> >Duane Winner <dwinner-lists at att.net> wrote:
> >
> >  
> >
> >>Thanks Roberto,
> >>
> >>Just to make sure I understand though, I only need to be concerned 
> >>"forwarding" and "forward rules" if I'm setting up a multi-homed host 
> >>(i.e., router), is this correct?
> >>    
> >>
> >
> >It doesn't even apply then.  IPFW forwarding forwards packets and rewrites
> >their IP headers to make one machine look like another.  While this is
> >commonly used on firewalls, it's not the same thing as turning on
> >forwarding (i.e. routing between interfaces) and isn't required to set
> >up a multi-homed "router".
> >
> 
> 
> Actually that's not QUITE correct..
> ipfw forwarding works as it does because it does NOT rewrite any headers.
> The packet just shows up at the other place without any clue as to how 
> it got there. :-)
> 
> >
> >For example, I use IPFW forwarding so that my firewall forwards VNC
> >packets to my desktop, so outsiders can connect directly to my desktop
> >through the firewall.
> >  
> >
> ipfw forwarding is actually two different services.
> 
> What it does is different depending on whether the forwarding target is 
> the local machine or
> is another machine.
> 
> When forwarding to another machine, the unalterred packet is sent to 
> that machine without
> alteration. If that other machine feels that the packet belongs 
> elsewhere,  it may send it on or
> even back.
> 
> The second form is when the local machine is the target. The packet is 
> sent to the socket listenning on
> the nominated port locally, regardless of what destination machine it is 
> supposed to go to.
> 
> If  you use type 1 to forward to another machine then if the packet is 
> not naturally destined for that
> machine,  you may need the same rule (working in the second form) on 
> that machine to make sure
> that it is used on that machine instead of being forwarded elsewhere.
> 
> The neat part about local forwarding is that the local socket itself 
> thinks it is on the intended destination
> machine so doing a getsockname() returns the address of the intended target.
> This makes proxying an absolutly simple process, as the sockaddr 
> returned can be used directly to open
> a socket to the intended target..
> 
> 
> >  
> >
> >>If I'm just using ipfw for  single-host based firewall protection, then 
> >>forwarding doesn't apply, right?
> >>    
> >>
> >
> >That's correct.
> >
> >  
> >
> >>Thanks again,
> >>Duane
> >>
> >>
> >>
> >>Roberto Nunnari wrote:
> >>
> >>    
> >>
> >>>Hi Duane.
> >>>
> >>>I had the same problem.. With 5.2.1 I had working forward rules
> >>>and that were broke with 5.3
> >>>
> >>>after some fiddling I managed to have that work again.. just
> >>>add them to your kernel:
> >>>
> >>>options         IPFIREWALL
> >>>options         IPFIREWALL_DEFAULT_TO_ACCEPT
> >>>options         IPFIREWALL_VERBOSE
> >>>options         IPFIREWALL_FORWARD
> >>>
> >>>if you don't add them to your kernel, forwarding in ipfw will
> >>>be disabled.
> >>>
> >>>Ciao.
> >>>
> >>>
> >>>Duane Winner wrote:
> >>>
> >>>      
> >>>
> >>>>Hello,
> >>>>
> >>>>I noticed that after enabling firewall in my kernel (5.3-release), my 
> >>>>dmesg now gives me this:
> >>>>
> >>>>ipfw2 initialized, divert disabled, rule-based forwarding disabled, 
> >>>>default to accept, logging limited to 5 packets/entry by default
> >>>>
> >>>>
> >>>>On 5.2.1, I used to get this:
> >>>>
> >>>>ipfw2 initialized, divert disabled, rule-based forwarding enabled, 
> >>>>default to accept, logging disabled
> >>>>
> >>>>If both cases, I am adding this to my KERNEL config:
> >>>>
> >>>>options         IPFIREWALL
> >>>>options         IPFIREWALL_DEFAULT_TO_ACCEPT
> >>>>
> >>>>
> >>>>It seems that the major difference between 5.2.1 and 5.3 is that now 
> >>>>rule-based forwarding is disabled.
> >>>>
> >>>>Is this correct? And what exactly is rule-based forwarding? I'm 
> >>>>guessing that it doesn't really apply to my situation, as in these 
> >>>>cases, I am using IPFW to create a deny all inbound to my laptop when 
> >>>>I'm on the road. But I just want to make sure.
> >>>>
> >>>>Thanks,
> >>>>DW
> >>>>_______________________________________________
> >>>>freebsd-security at freebsd.org mailing list
> >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >>>>To unsubscribe, send any mail to 
> >>>>"freebsd-security-unsubscribe at freebsd.org"
> >>>>        
> >>>>
> >>>
> >>>      
> >>>
> >>_______________________________________________
> >>freebsd-security at freebsd.org mailing list
> >>http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> >>    
> >>
> >
> >
> >  
> >
> 


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050204/7b168ece/attachment.bin

More information about the freebsd-security mailing list