----- Original Message ----- From: "Ken Bolingbroke" <[EMAIL PROTECTED]> To: "fbsd_user" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, January 19, 2004 10:28 PM Subject: RE: ipfw/nated stateful rules example
> > On Mon, 19 Jan 2004, fbsd_user wrote: > > > That's a play on words. And still does not prove stateful rules work on > > the interface facing the public internet. There is no documentation that > > says keep-state and limit only works on the interface facing the private > > Lan network. And the implied meaning is they are to be used on the > > interface facing the public internet. > > I just jumped in the middle here, so I may be out of context. > > But, stateful rules don't play nice with NAT. Consider non-NAT, a public > IP address contacting an Internet address: > > 18.104.22.168 -> 22.214.171.124 > > A rule is created for 126.96.36.199 coming to 188.8.131.52. When > 184.108.40.206 replies, the stateful rule lets it in. This is good. > > > But consider NAT: > > 10.0.0.10 changed to 220.127.116.11 -> 18.104.22.168 > > If you do a keep-state before NAT, you have a rule to allow 22.214.171.124 > to 10.0.0.10, but the return incoming packet will be 126.96.36.199 -> > 188.8.131.52, so the rule doesn't match. > > If you do a keep-state after NAT, then you have a rule to allow > 184.108.40.206 to 220.127.116.11. The return incoming packet matches that > rule, but it accepts the packet and packet processing stops, so it's never > passed through NAT, and never makes it back to 10.0.0.10. > > > So as it stands now, I don't see that you can use stateful connections > with NAT, unless check-state is changed to allow a packet to be passed > through NAT. > > Ken Bolingbroke Ken, try this one. This is what I use here at home and it does indeed work: Launch NATD with natd -interface ep0 -s -m -u (Only RFC1918 packets get altered) ## Divert everything to NAT. ipfw add 1 divert natd ip from any to any via ep0 #Prevent inbound spoof attempts for my lan range ipfw add 10 deny ip from 192.168.1.0/24 to any in via ep0 #Check State Rules ipfw add 20 check state #LAN Allow Stateful ipfw add 31 allow ip from 192.168.1.0/24 to any keep-state #Allow Outbound Stateful. ipfw add 40 allow ip from 68.12.xx.xx to any keep-state NAT keeps a seperate table of it's translations to provide a back channel. Traffic comes in, generates a dynamic ruleset, gets translated, heads out and creates the 2nd dynamic for the packet. You'll end up with something like this ipfw -d list <snip> ## Dynamic rules: 00040 4 692 (T 18, slot 215) <-> tcp, 68.12.xx.xx3777<-> 18.104.22.168 80 00031 35 20374 (T 10, slot 219) <-> udp, 192.168.1.3 4986<-> 22.214.171.124 27019 00031 3 216 (T 1, slot 483) <-> tcp, 192.168.1.1 22<-> 192.168.1.2 3574 00031 16 11902 (T 298, slot 752) <-> tcp, 192.168.1.2 3777<-> 126.96.36.199 80 Granted, you'll end up with a dual entry for each packet in stateful space, but it does work. Perhaps not as intended with a single match but you can use statful with NAT. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600 _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"