Combining NATD with IPFW's "keep-state" and "check-state" rules

Combining NATD with IPFW's "keep-state" and "check-state" rules

Post by Matthew X. Economo » Sat, 17 Nov 2001 12:01:17



I'm having some difficulty creating a customized firewall
configuration that uses both address translation and stateful
inspection.  Here's what I'm trying to do:

 1. protect against IP spoofing, both in- and outbound

 2. allow inbound SMTP, FTP, HTTP, and DNS traffic to various hosts
    behind the firewall, statefully (and using NAT)

 3. filter outbound traffic (e.g. only HTTP, FTP, DNS, NTP, RealAudio,
    etc.), statefully, hiding behind the Firewall's external IP.

 4. filter IPSEC-encapsulated traffic

Thanks to /etc/rc.firewall, I've got rules for #1 (admittedly, proper
placement around "divert" and "check-state" rules is going to be an
issue), but the others elude me, especially since the available
documentation (the Handbook, the FAQ, the manual pages, FreeBSD
problem reports, the default firewall rule base in /etc/rc.firewall,
and the contents of /usr/share/examples) is pretty short on examples
of advanced usage.

If someone could point me to alternate resources, especially advanced
IPFW and NATD configurations, I would be very grateful.  I would also
be glad to share my firewall configuration in order to learn these
more advanced techniques.

Kind regards,
#\Matthew

--
"We know for certain only when we know little.  With knowlege, doubt
increases." - Goethe

 
 
 

Combining NATD with IPFW's "keep-state" and "check-state" rules

Post by Carl » Sun, 18 Nov 2001 08:17:18


Some sites with IPFW tutorials, to get you started:

http://renaud.waldura.com/doc/freebsd/firewall/
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html
http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-1.html

Regards...


> I'm having some difficulty creating a customized firewall
> configuration that uses both address translation and stateful
> inspection.  Here's what I'm trying to do:

>  1. protect against IP spoofing, both in- and outbound

>  2. allow inbound SMTP, FTP, HTTP, and DNS traffic to various
>  hosts
>     behind the firewall, statefully (and using NAT)

>  3. filter outbound traffic (e.g. only HTTP, FTP, DNS, NTP,
>  RealAudio,
>     etc.), statefully, hiding behind the Firewall's external
>     IP.

>  4. filter IPSEC-encapsulated traffic

> Thanks to /etc/rc.firewall, I've got rules for #1 (admittedly,
> proper placement around "divert" and "check-state" rules is
> going to be an issue), but the others elude me, especially
> since the available documentation (the Handbook, the FAQ, the
> manual pages, FreeBSD problem reports, the default firewall
> rule base in /etc/rc.firewall, and the contents of
> /usr/share/examples) is pretty short on examples of advanced
> usage.

> If someone could point me to alternate resources, especially
> advanced
> IPFW and NATD configurations, I would be very grateful.  I
> would also be glad to share my firewall configuration in order
> to learn these more advanced techniques.

> Kind regards,
> #\Matthew


 
 
 

Combining NATD with IPFW's "keep-state" and "check-state" rules

Post by Joe Berr » Sat, 24 Nov 2001 03:09:14



> Some sites with IPFW tutorials, to get you started:

> http://renaud.waldura.com/doc/freebsd/firewall/
> http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
> http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
> http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
> http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html
> http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-1.html

I was about to ask a similar question.  Thanks for posting these references.
It gives me a lot more material to work with.

Joe

 
 
 

1. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

My machine: P166+mmx, 32mb ram, 4gb HD with Win95 and Win NT 4.0 and
redhat5.1 co-existed in different partitions.

I issued "sndconfig" within a xterm inside X Window, The program
detects the SB 16 pnp card sets it up with no error message, but when
it launch ModProbe to test out, it gets a message states: An error was
encountered running the ModProbe program."  I tried different IRQ
settings, all ends with the same message.

2nd, When I try to mount /dev/cdrom from File Systerm Manager, the
following error is returned:  Can't find /dev/hdb in /etc/mtab or
/etc/fstab.

3nd, When my machine boots, it halts at "Sendmail" for about 3-5 mins
before it goes to next step.  Obviously there isn't any mail system on
the machine right now because it is a standalone.  How can take this
mail thing out and speed up booting?

last one, Is my Zoom 56k PCI FaxModem a Windmodem that Linux can't use
to connect me to my local isp?

Experts help me out please. thanks.

2. httpd

3. GETSERVBYNAME()????????????????????"""""""""""""

4. Need help with HP Monitor on a Linux box

5. "The War between the States" or "The Civil War"?

6. Samba printing problems

7. Type "(", ")" and "{", "}" in X...

8. ELF this slow? Or misleading benchmark?

9. what does "-m state --state NEW,ESTABLISHED" mean when used in iptables config file?

10. "umsdos" vs "vfat" vs "looped ext2"

11. "Novell-like","non-TCP/IP","networking" OS to place Unix

12. "netstat -nr" should show "default" or "0.0.0.0"?

13. "write" "to" "flon" commands