On 1/30/15 8:37 AM, Lev Serebryakov wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I have problems to understand how combination of nat and stateful
ruleset for ipfw should work. There is no good guides, and most guides
uses old "divert" which is different from in-kernel nat, as far as I
understand.
Problem is, if we want to allow only incoming packets which are
belong to already established connections, we need to create state in
"allow" out rule for outbound packet BEFORE nat rule and then pass it
to nat, which looks impossible, as "allow" stop processing. Or we
could pass it to nat and then "allow keep-state", but then there will
be same problem for inbound packets: "check-state" should go before
"nat" rule, but packet should be passed to nat after that!
Now I have old ruleset which I don't quite understand. It works, but
WHY? Now I have such rules for outbound packets:
12700 skipto 12900 ip from any to any keep-state
12800 deny ip from any to any
12900 nat 1 ip from any to any out
12999 allow ip from any to any
And rules for inbound ones are:
11000 deny ip from any to not me
11500 nat 1 ip from any to any
11510 check-state
11600 allow tcp from any to me ssh,http setup keep-state
11999 deny ip from any to any
ok so the dynamic rule is created on the outgoing packet, and
associated with
skipto 12900
which sets up a NAT session.
on a later incoming packet, the rule 11500 is hit first so the packets
are NAT'd back,
and then their state is compared to that stored in the outgoing path,
and if they match, they go to 12900
where they are not checked again becasue they are not 'out' packets.
so it falls through to 12999 and is allowed in. (in its changed form).
packets that are not in a known session fall through teh check-state
and are dropped.
it all looks ok to me. kinda cute actually.
It was migrated from old copy'n'pasted "divert" variant (created
before "nat" action was created!).
Looks like, it does not what I want at all! It works only by
accident, as "check-state" becomes "skipto 12900" and it is works only
because 12999 is "allow ip from any to any" and not some other filtration!
Is here better way to have nat and stateful ruleset?
It would be really cool if state could hold the NAT'd form of the
packets as well. but what you have above is really kinda cute,
and seems to work as far as I can read.
what "other filtration" do you want?
I always do what is done here and separate inwards and outwards
packets for the external interface into two different sets of rules
(and another set for other interfaces).
I find it helps to draw a packet flow with two chains, in and out..
with samples of what the packets look like for each flow at each point.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
