|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT)
From: Fernando Gleiser (fgleiser
cactus.fi.uba.ar)
Date: Wed Jun 04 2003 - 11:40:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 4 Jun 2003, Vandyuk Eugene wrote:
>
> I have done some tests with IPFW and IPF compiled in kernel and I was
> confused. Packet flow was:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPNAT -> IPF -> IPFW
Yes. from ip_input.c:
iphack:
/*
* Check if we want to allow this packet to be processed.
* Consider it to be bad if not.
*/
if (fr_checkp) {
struct mbuf *m1 = m;
if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
return;
ip = mtod(m = m1, struct ip *);
}
if (fw_enable && IPFW_LOADED) {
the first 'if' checks if ipf is loaded, and calls the filter function if it
is. The second one does the same for ipfw
and for outgoing packets, from ip_output.c :
if (fr_checkp) {
struct mbuf *m1 = m;
if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
goto done;
ip = mtod(m = m1, struct ip *);
}
/*
* Check with the firewall...
* but not if we are already being fwd'd from a firewall.
*/
if (fw_enable && IPFW_LOADED && !args.next_hop) {
Again, ipf gets called before ipfw.
>
> As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?!
Yes, if you use ipnat for NAT.
> I think it's wrong and it should be corrected in this way:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPFW -> IPNAT -> IPF
There was some discusion some time ago in ipf's mailing list. I don't remember
Darren's position on this.
Fer
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]