Re: Bug in stateful code?

Rogier R. Mulhuijzen Thu, 14 Feb 2002 12:59:08 -0800


>>the reply was that keep-state and natd are very hard to use
>>together, and besides it is rather useless because natd is stateful
>>by itself.
>natd is stateful,  but provides no protection for inbound IP traffic
>that is destined for the filtering host itself.


I have personally looked at natd & stateful ipfw rules, and have concluded 
that it logically impossible to get it to work.

Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope 
this helps you in making your own rulelist.

tl0 is the interface on internal LAN
lnc0 is the interface on external LAN

--------------------

#divert all http requests from internal network to quid cache
add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0
add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0
add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0

#allow all traffic to/from internal network
add 01000 allow all from any to any via tl0

#translate incoming packets (NAT)
add 30000 divert natd all from any to <internet IP of machine> in via lnc0

#allow incoming packets for hosts on internal network
#(Since we translated them, we're sure they belong to existing
#connection)
add 30110 allow all from any to 172.20.0.0/16 in via lnc0
add 30111 allow all from any to 172.30.0.0/16 in via lnc0
add 30112 allow all from any to 192.168.0.0/24 in via lnc0

#allow SSH from XXXXXXXX
add 30200 allow tcp from <some internet IP> to <internet IP of machine> 22 
in via lnc0
add 30210 allow tcp from <internet IP of machine> 22 to <some internet IP> 
out via lnc0

#allow DNS queries to UUnet DNS servers
add 30300 allow udp from <DNS1 IP> 53 to <internet IP of machine> in via lnc0
add 30310 allow udp from <internet IP of machine> to <DNS1 IP> 53 out via lnc0
add 30320 allow udp from <DNS2 IP> 53 to <internet IP of machine> in via lnc0
add 30330 allow udp from <internet IP of machine> to <DNS2 IP> 53 out via lnc0

#allow outgoing traffic from internal hosts
#(use skipto 34000 instead of allow because they still need translation)
add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0
add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0
add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0

#allow outgoing connections from local machine (using dynamic rules)
add 32000 allow all from <internet IP of machine> to any out via lnc0 
keep-state

#block and log everything that hasn't been allowed so far
add 33000 deny log all from any to any

--------------------

Greets,

         Doc


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: Bug in stateful code?

Reply via email to