On Mar 23, 2013, Will D. Spann wrote: > Mike, > > Thanks for the rapid reply! I'd like to say I'm a big fan of your Linux > Firewalls book. I have learned so much about network security from this book. > Well done.
Thanks for the kind words. > > On Mar 22, 2013, Will D. Spann wrote: >> I've been trying out the > > --NAT-local functionality with v2.0.3 (on Linux > >> Mint) & v2.0.0-rc1 (on OpenWRT), and I've observed that > >> ENABLE_IPT_FORWARDING > >> must be enabled in fwknopd.conf, otherwise the FWKNOP_PREROUTING chain is > >> not > >> created in the 'nat' table (under iptables). This seems to effectively > >> prevent --NAT-local usage from working at all, as the necessary DNAT rule > >> is > >> not generated. > >> > >> From my reading of the fwknopd documentation, it seems that having > >> ENABLE_IPT_LOCAL_NAT enabled should be sufficient to enable --NAT-local > >> functionality. (I understand that ENABLE_IPT_FORWARDING is required forĀ > >> --NAT-access access to machines behind the firewall running fwknopd.) Am I > >> misunderstanding the meaning of these options, or could this be a bug? I > >> have > >> not yet tested this in v2.0.4, but I didn't find any mention of this > >> problem > >> in the changelog. > > Indeed the ENABLE_IPT_FORWARDING config is required for all NAT > > operations, and here is the relevant code: > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=server/incoming_spa.c;h=67929c20a36956fc54391ab0d3b15c25f540e2ae;hb=7bd0da29c42768ca5a8f48a8d1813c12dff363d4#l649 > > > The server is written to be restrictive in terms of what clients can > > request, and in this case even though --NAT-local implies that the local > > system running fwknopd is being accessed, the NAT table must be interacted > > with and therefore ENABLE_IPT_FORWARDING must be enabled. It's sort of > > the general gate to determine whether any NAT capabilities are offered to > > valid SPA clients. > > Ah, thanks for clarifying. I didn't realize ENABLE_IPT_LOCAL_NAT was > dependent on ENABLE_IPT_FORWARDING. I suppose this makes sense, as you point > out that in both > --NAT-local & --NAT-access usages iptables' 'nat' table needs to be modified > to add the DNAT rule. > > One thing that will be changing in future releases is that more NAT > > capabilities will be integrated with the access.conf file in order to > > offer more granular control on a per access stanza basis. > > That would be a terrific feature. It would be nice to be able to allow > --NAT-local access, but disallow NAT forwarding access. Is this currently > possible, on a global basis? Hmmm, interesting question - I think to accomplish this right now you would need to leverage iptables + fwknopd so that such communications are dropped before the fwknopd jump rule in the nat table. So, in the /etc/fwknop/fwknopd.conf file, you would change the IPT_DNAT_ACCESS variable to have a jump rule position after other rules (or another jump rule into a custom table) that are designed to stop traffic from being translated to the internal network. Or, you could also modify the IPT_FORWARD_ACCESS variable similarly if you want filtering rules to go in the usual place. These configurations may not work for all deployments though - just some suggestions that you would need to play with. > In particular, I'd like to use the ghost service approach (w/ --NAT-port) for > one service (nice blog article btw), and the --NAT-rand-port functionality > for another, where both services are running on the firewall. However, I > don't need to support forwarding to any servers behind the firewall, since I > am using a VPN for that, and would actually prefer to disallow this if > possible. I think some of the above ideas may work for this. Thanks, --Mike > > Thanks, > --Mike > > Thanks, > > -- > Will D. Spann > W. Spann Systems Consulting > > P.S., I've recently started following the fwknop project on GitHub. I think > the HMAC functionality you're currently adding will be a great addition. > Also, the support for randomly-generated Rijndael keys will be a nice > security enhancement. I'm looking forward to the v2.5 release. >> Thanks, > >> > >> Will D. Spann > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
