[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Binat and statefull inspection

To: misc@openbsd.org
Subject: Re: Binat and statefull inspection
From: Steve <steve@szmidt.org>
Date: Mon, 1 Mar 2004 23:42:50 -0500
Content-Disposition: inline
References: <AC7AAB084B315548841D0ED7FF6CFFE8014AB691@EXCHANGE.swyt.nhs.uk>
User-Agent: KMail/1.6

On Thursday 26 February 2004 01:22 pm, Kevin Barrass wrote:
> If I add a rule as below
>
> pass  in on $int_if proto tcp from 10.223.0.254 to any port 80
> modulate state
>
> The router can connect out and connections are statefully allowed
> back in through the outside interface, I don't understand why
> statefull inspection works in one directon but not in the other.

What use would it be to ensure that your server(s) sends replies that 
originates from the server it was sent to? After all the purpose is to 
ensure that all that comes back in was on actual requests going out.

> Regards
>
> Kev
>
>
> -----Original Message-----
> From: Kevin Barrass
> Sent: 26 February 2004 17:51
> To: misc@openbsd.org
> Subject: Binat and statefull inspection
>
> Hi
>
> On an OpenBSD 3.4 firewall with all latest Errata applied, I have a
> binat from an inside host to an external address as below but using
> the below config no-one can telnet to the internal host but using the
> second config they can its asthough statefull inspection is not
> working inbound.
>
> Any help much appreciated.
>
> Kind Regards
>
> Kev
>
> ###########
>
> ext_if="rl0"
> int_if="xl0"
> scrub in all
>
>
> binat on $ext_if from 10.223.0.254 to any -> 10.1.255.111 nat on
> $ext_if from 10.223.0.0/16 to any -> ($ext_if)
>
> block in all
> pass  in on $ext_if proto tcp from any to 10.223.0.254 port telnet
> synproxy state
>
> #############
>
> But if I do the below config it works, as I have to set a rule up to
> allow the connection back out
>
> #############
>
> ext_if="rl0"
> int_if="xl0"
> scrub in all
>
>
> binat on $ext_if from 10.223.0.254 to any -> 10.1.255.111 nat on
> $ext_if from 10.223.0.0/16 to any -> ($ext_if)
>
> block in all
> pass  in on $ext_if proto tcp from any to 10.223.0.254 port telnet
> synproxy state pass  in on $int_if proto tcp from 10.223.0.254 to
> 10.1.5.171 port >1024 modulate state
>
> ############

-- 

"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
                                Benjamin Franklin

Prev by Date: Re: Allowing unprivileged users to use some router functions
Next by Date: Re: ISDN-Question
Prev by thread: Re: Allowing unprivileged users to use some router functions
Next by thread: Re: WiFi @ USB
Index(es):
- Date
- Thread