Re: Policy routing with IPFW
On Thu, Apr 15, 2004 at 03:39:45PM -0700, Stephen Gill wrote:
> Hi David,
>
> Well, that might be a half a step closer... I just tried this
> combination with a 50% success rate :). Inbound connections work quite
> well, but connections originating from the box itself do not work.
> Any ideas as to how to make this rulebase work with policy routing for
> outbound connections as well?
>
> I think it is interfering with the dynamic rules. ICMP appears to
> work, but that is all. I would like to still use the dynamic
> capabilites of stateful filtering if possible.
That is a problem with your setup since 'fwd' rules match and exit.
So what happens is,
> # POLICY ROUTING
> ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET}
> ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any
Packets match here and go out.
> ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET}
> ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any
Or match here and go out.
Which means they never reached these:
> # Allow from me to anywhere
> ${fwcmd} add 240 allow tcp from me to any setup keep-state
> ${fwcmd} add 260 allow udp from me to any keep-state
> ${fwcmd} add 280 allow icmp from me to any
This also will mess with stateful connections (TCP) coming in since
the responses never get seen by the dynamic rules.
For incoming connections, using dynamic rules is actually bad for
security in the first place, so dropping that is not a problem.
For the outgoing traffic... problem.
$fwcmd add fwd ${IP1-GW} tcp from me to any setup keep-state
Won't work since applying a 'fwd' to the returning traffic is
a bad idea (routing loop).
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)