Re: IPFW: combining "divert natd" with "keep-state"

• Previous message: Jim Hatfield: "Re: IPFW: combining "divert natd" with "keep-state""
• Maybe in reply to: Subscriber: "IPFW: combining "divert natd" with "keep-state""
• Next in thread: Jan Grant: "Re: IPFW: combining "divert natd" with "keep-state""
• Reply: Jan Grant: "Re: IPFW: combining "divert natd" with "keep-state""
• Reply: Michael Collette: "Re: IPFW: combining "divert natd" with "keep-state""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: freebsd-security@freebsd.org
Date: Fri, 20 Jun 2003 11:40:55 +0100

On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you
wrote:

>: ipfw -f flush
>: ipfw add 100 divert natd ip from any to any via rl0 in
>: ipfw add 200 check-state
>: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0
>: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0
>: ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state
>: ipfw add 500 divert natd ip from any to any out via rl0
>: ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0
>: ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0
>: ipfw add 65000 allow ip from any to any

Tricky indeed.

I've been playing with the rules suggested by Greg Panula,
but I don't really like them for a couple of reasons:

- I prefer to keep the internal interface open. I often
  telnet into the router and keep the session open and
  inactive for hours, and the dynamic rules time out and
  kill it.

- a rule is created which is never used, ie the outgoing
  packet starting a conversation creates two rules, only
  one of which is used in the check-state to match incoming.

So I will try out your set. But one question first: do you
ever get hits on the second rule 300? I would have thought
it very difficult for anyone to route a packet to you with
a non-routable destination address. Surely only your ISP
could do that?

Jim
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Jim Hatfield: "Re: IPFW: combining "divert natd" with "keep-state""
• Maybe in reply to: Subscriber: "IPFW: combining "divert natd" with "keep-state""
• Next in thread: Jan Grant: "Re: IPFW: combining "divert natd" with "keep-state""
• Reply: Jan Grant: "Re: IPFW: combining "divert natd" with "keep-state""
• Reply: Michael Collette: "Re: IPFW: combining "divert natd" with "keep-state""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Fire Engine?? ... >> device driver etc.) and submits the single packet. ... > This is tricky, because of getting all of the queueing stuff right. ... In some profiling I did some time ago queue locks and device driver ... Especially for prefetching having a list of packets helps because you ... (Linux-Kernel) Re: OT: Google down? ... Other stuff's playing up. ... I can tell by your packet address encodings ... (i.e. the parity mask complements) ... (uk.comp.sys.mac) Re: Sourdough Bread - Stretch and Fold Technique Results ... I have to post pictures of today's baking. ... I have been playing with a sourdough starter revived with a packet ... that was sealed into a cookbook with a publication date of 1971. ... (rec.food.cooking) Re: OT: Google down? ... Other stuff's playing up. ... I can tell by your packet address encodings ... (i.e. the parity mask complements) ... (uk.comp.sys.mac)