Serious problem with ipfw and natd

S

sly_midnight

Hi guys.

I'll start with saying I'm a bit new to FreeBSD, but I wanted to get to know it. And so my first project was to turn an old computer I once used as a linux firewall/gateway router into a FreeBSD firewall/gateway router. I decided to do this using a vanilla copy of FreeBSD 7.2-p2 and after reading the handbook and man pages, I decided to use a combination of ipfw and natd to accomplish what I need.

However, I've run into some serious difficulty in understanding how ipfw and natd work and therefore, only barely got it working the way I need. I basically followed the recommendations in the handbook for ipfw and natd with just enough modifications to tailor it to my needs.

But after testing some things, and doing an audit on my network, its got some strange behavior I cannot explain. They are as follows.

For one, my check-state rule seems to never apply according to the ipfw show command stats counters (unless this is by design).

And if I run a tcpdump -ni dc0 net 192.168.0.0/24 (which is the externally facing NIC and the subnet I'm using internally behind the FreeBSD firewall), I actually see traffic occasionally leaving my network with a source IP address of the original host on the LAN, YIKES!!!

Why would an otherwise stable and reliable Unix box let packets "slip" through at "random"? The only thing I can think of is my ruleset is seriously bad.

I am posting my ipfw.rules file and my natd.conf file.
Would anyone be able to guide or coach me as to why my ruleset does not work as expected?

Thanks
Sly
 

Attachments

What made you decide to run ipfw/natd, and not pf with its built-in nat/binat capability, which is basically one single line in pf.conf?
 
Honestly, it was a tough call to try and figure out which firewalling package to use when I found out I had a choice of 3, and not knowing FreeBSD (I come from a Linux background). Like I said, after reading the handbook, I got the impression that ipfw was the "default" or original firewall for FreeBSD and that the others were just "ported" over from the other BSDs. So it seemed more natural to me to go with the default...since my intention was to use a vanilla FreeBSD install. I'm slowly getting the impression that ipfw and natd was a truly bad idea.
 
I'm not going to crack down on ipfw, because I use it extensively for other purposes (ipfw pipes for delay/packetloss simulation), but for 'real' hardcore firewalling and nat'ing I will only use pf. It is extremely well documented, and very much 'human-readable'. At least, i don't think this will blow your mind:

Code: 
nat on $ext_if from $int_net to any -> $ext_if

That's the replacement for natd ...

pf.conf(5)
pfctl(8)
http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
http://www.openbsd.org/faq/pf/ ('the original' - note that OpenBSD's PF is always ahead of FreeBSD's, so documentation may mention things not available on FreeBSD yet).

If you still have the option to switch, do so now.
 
Thanks...I'm going to research how to use pf then. I was considering using ipfw's new (in FreeBSD 7.x) builtin in-kernel nat feature. But honestly, I'm still very confused as to why those packets occasionally leave my network without the source IP being masqueraded. I could point the finger to natd, but how do I know that ipfw isn't at fault? Or what if its both? At this point, I just want a working firewall...so I think if I have to read up and learn something new, might as well just ditch ipfw and go with pf on your (and seemingly many other's as well) recommendation.

Thanks man.
 
DutchDaemon said:
What made you decide to run ipfw/natd, and not pf with its built-in nat/binat capability, which is basically one single line in pf.conf?
Click to expand...

IPFW in FreeBSD 7.0+ includes built-in NAT capabilities. No need for separate natd. It's a one line entry, just like in PF.

The only major deficiency left in IPFW is that it's very hard to get stateful filtering and NAT working together. (At least with external natd, it may be easier with internal nat.)
 
I'm still thinking about researching the ipfw builtin nat capabilities introduced in FreeBSD 7 because looking over the pf documentation...the syntax is completely foreign to me. And if I thought it was hard to wrap my iptables accustomed brain around ipfw with natd in the works, it will be fun trying my luck at pf. I'm going to need more coffee...if someone was interested in helping me out, how would you recommend modifying the ipfw.rules file attached above with the necessary ipfw nat instructions so I can get rid of natd?
 
Ok, following the examples I've seen and gleaning the OpenBSD manual, I think I have a *slight* handle on pf and have drawn up a test pf.conf that *should* work for me. I don't feel comfortable testing it out remotely so I will try to test it tonight when I get home and all has calmed down. If this works, I'll be an ipfw to pf convert...though I'm still interested in knowing how ipfw's builtin nat function works. I might as well take the time as well, to cut out the old LinkSys card from my gateway and slap an Intel PRO/100 I found lying around. Might work better too, who knows.
 
DutchDaemon said:
I'm not going to crack down on ipfw, because I use it extensively for other purposes (ipfw pipes for delay/packetloss simulation), but for 'real' hardcore firewalling and nat'ing I will only use pf. It is extremely well documented, and very much 'human-readable'. At least, i don't think this will blow your mind:

Code: 
nat on $ext_if from $int_net to any -> $ext_if

That's the replacement for natd ...

pf.conf(5)
pfctl(8)
http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
http://www.openbsd.org/faq/pf/ ('the original' - note that OpenBSD's PF is always ahead of FreeBSD's, so documentation may mention things not available on FreeBSD yet).

If you still have the option to switch, do so now.
Click to expand...

Thanks DutchDaemon,

I setup my own pf.conf from scratch following the guides you sent me and oh my God, you just showed me my LinkSys cable modem at my new apartment, isn't actually inferior to my previous Motorola cable modem I had before it. I used to get nearly 20Mbit downstream from my old Motorola cable modem and LinkSys WRT54GS running DD-WRT on it.

Then I moved and left that equipment to my family and bought a LinkSys cable modem and decided to use my old 500MHz computer from back in the day and was saddened when I saw I could only get Comcast's advertised 12Mbit PowerBoost.

I see now it was all ipfw/natd's fault, cause now I can peak to 30Mbit!!! Even better than before!!! Who would've known!

Plus now my 500MHz firewall sits truly idle even with my torrents whirring away on another machine and surfing the net on this one. Oh and my Vonage worked on the first try.

That much usage used to put natd in over 10% usage easily, and if I did any sort power user stuff (like using nmap to audit a friend's firewall over the internet) it would peg natd too a 100% CPU usage and my Vonage would stutter bad even though I wasn't using a fraction of my cable modem's available bandwidth.

This is a MAJOR improvement, thanks guys! I am MOST definitely a pf convert!

�e
 
You must log in or register to reply here.
Back
Top