Can't pair in-kernel NAT with real stateful ipfw. All 'seems-solved' examples I have seen online are in fact not safe.
The following set I have now works well allowing access web ('telnet google.com 80') both from jails and from the host system. (I'm not talking about access web on my box):
But it's not safe. Anyone who pretends to be a 80 or 443 port will get access to any filtered ports on the system.
I figured out the following set. But this set of rules causes freeze of my box so that I need reboot it!
My understanding is the following:
230 will get me out of jail and create dynamic rule for ports "80 - someport" and addresses "10.1.1.10 - someIP".
240 will get this packet out of ipfw to the world.
Return packet will hit 220 that allow bypass rule 230 that would otherwise trigger wrong dynamic rule because it has keep-state, but we need to nat this packet back to the jail first.
So 3000 will nat it and now I expected that 3010 will allow this paket, because of the created dynamic rule:
But as I said this set causes system freeze so that only reboot helps.
What's wrong with my understanding?
The following set I have now works well allowing access web ('telnet google.com 80') both from jails and from the host system. (I'm not talking about access web on my box):
Code:
00220 nat 3 tcp from 10.1.1.11 to any dst-port 80,443 out via em0 #out of jail
00230 allow tcp from a.b.c.d to any dst-port 80,443 out via em0 #when leave NAT we have external IP, so allow it, leave ipfw here
00240 nat 3 tcp from any 80,443 to a.b.c.d in via em0 #return packet must be NATed again
00250 allow tcp from any 80,443 to 10.1.1.11 in via em0 #after NAT we are "to internal", so allow it, leave ipfw here, everything fine in jail now
00260 allow tcp from any 80,443 to a.b.c.d in via em0 #this is return for the host, when 'telnet example.com 80' issued from the host
65535 deny ip from any to any
But it's not safe. Anyone who pretends to be a 80 or 443 port will get access to any filtered ports on the system.
I figured out the following set. But this set of rules causes freeze of my box so that I need reboot it!
Code:
00220 skipto 3000 tcp from any 80,443 to a.b.c.d in via em0
00230 nat 3 tcp from 10.1.1.11 to any dst-port 80,443 out via em0 keep-state :accesswebint
00240 allow tcp from a.b.c.d to any dst-port 80,443 out via em0
03000 nat 3 tcp from any 80,443 to a.b.c.d in via em0
03010 check-state :accesswebint
65535 deny ip from any to any
My understanding is the following:
230 will get me out of jail and create dynamic rule for ports "80 - someport" and addresses "10.1.1.10 - someIP".
240 will get this packet out of ipfw to the world.
Return packet will hit 220 that allow bypass rule 230 that would otherwise trigger wrong dynamic rule because it has keep-state, but we need to nat this packet back to the jail first.
So 3000 will nat it and now I expected that 3010 will allow this paket, because of the created dynamic rule:
Code:
00230 1 60 (18s) STATE tcp 10.1.1.11 60491 <-> 172.217.21.174 80 :accesswebint
But as I said this set causes system freeze so that only reboot helps.
What's wrong with my understanding?