Re: FW: ipfw, natd and routing question

From: Crist Clark (crist.clark@globalstar.com)
Date: 06/11/01


Date: Mon, 11 Jun 2001 11:35:07 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
To: Robin Huiser <robin@bequbed.com>

Robin Huiser wrote:
>
> Hi all,
>
> I hope someone can help me with this problem I'm trying to solve. I think
> the answer is trivial, but so far I 'm stuck.
>
> Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:
>
> -- DMZ
> /
> EXT--FIREWALL---
> \
> -- LAN
>
> -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
> -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
> -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24
>
> I use NAT to 'route' traffic from the LAN to the Internet
> I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet
>
> So far, so good.
>
> But... how do I prevent the NAT to 'translate' the IP addresses when a
> session is set up from the DMZ segment to a host somewhere on the Internet?
> I want all traffic to be routed from the DMZ subnet to the Internet...
>
> I've tried to alter the natd rule, without any success.
> The rules I tried didn't work or had bad side effects, so I moved back to
> the standard natd rule, but everything gets NAT-ed now...
>
> Some examples I tried:
>
> #
> # The rule below works, but the it causes TCP/IP timeouts and a *very* slow
> # connection between the DMZ and EXT subnets...
> #
> ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any
> via ${natd_interface}

This should really work. I do not understand why it would slow things
down. It is having bad interactions with other rules? Traffic coming
out of your extranet does not go through natd(8). The return traffic
does go throught natd(8), but since there is no entry in the NAT table
generated by outgoing traffic, the packets are not modified. Is your
NAT table _huge?_ I would expect other performance issues if this
rule made trouble becasue of that.

> #
> # The rule below doesn't work at all (?) Don't know why...
> #
> ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via
> ${natd_interface}
>
> Please advise...

This one will not work since packets coming back from the Internet
do not get run through natd(8).

However, the easiest thing to do is probably to put all of your rules
that apply to traffic to and from your extranet _before_ the divert(4)
rule. Depending on performance issues, this approach may be good (most
of your traffic is from the extranet), bad (most traffic is from the
private network), or not matter (if your firewall machine is over-powered
for the job, who cares, go with what is easiest to administrate).

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
    ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
    (comp.dcom.sys.cisco)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... Hosts on the LAN successfully acquire IP addresses from the NAT SERVER ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)