OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT)

From: Fernando Gleiser (fgleisercactus.fi.uba.ar)
Date: Wed Jun 04 2003 - 11:40:39 CDT


On Wed, 4 Jun 2003, Vandyuk Eugene wrote:

>
> I have done some tests with IPFW and IPF compiled in kernel and I was
> confused. Packet flow was:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPNAT -> IPF -> IPFW

Yes. from ip_input.c:

iphack:
        /*
         * Check if we want to allow this packet to be processed.
         * Consider it to be bad if not.
         */
        if (fr_checkp) {
                struct mbuf *m1 = m;

                if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
                        return;
                ip = mtod(m = m1, struct ip *);
        }
        if (fw_enable && IPFW_LOADED) {

the first 'if' checks if ipf is loaded, and calls the filter function if it
is. The second one does the same for ipfw

and for outgoing packets, from ip_output.c :

       if (fr_checkp) {
                struct mbuf *m1 = m;

                if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
                        goto done;
                ip = mtod(m = m1, struct ip *);
        }

        /*
         * Check with the firewall...
         * but not if we are already being fwd'd from a firewall.
         */
        if (fw_enable && IPFW_LOADED && !args.next_hop) {

Again, ipf gets called before ipfw.

>
> As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?!

Yes, if you use ipnat for NAT.

> I think it's wrong and it should be corrected in this way:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPFW -> IPNAT -> IPF

There was some discusion some time ago in ipf's mailing list. I don't remember
Darren's position on this.

                        Fer

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"