Date: Fri, 14 Nov 2008 00:31:25 -0800 From: Julian Elischer <julian@elischer.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org Subject: Re: rc.firewall quick change Message-ID: <491D375D.1070809@elischer.org> In-Reply-To: <20081114133913.K70117@sola.nimnet.asn.au> References: <491CD94F.3020207@elischer.org> <20081114133913.K70117@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith wrote:
> On Thu, 13 Nov 2008, Julian Elischer wrote:
> > At home I use the following change.
> >
> >
> > basically, instead of doing 8 rules before and after the nat,
> > use a table and to 1 rule on each side.
> >
> >
> > any objections?
>
> Only that if people are already using tables for anything, chances are
> they've already used table 1 (well, it's the first one I used :) How
> about using table 127 for this as a rather less likely prior choice?
yes I thought of that..
in fact it should be ${BLOCKTABLE} and let the user define what he
wants. (defaulting to 99 or something).
Remember though that a user wouldn't be using 'simple' if he's using
his own tables etc.
>
> Apart from that, this will speed up 'simple' on a path every packet
> takes, which has to be a good thing.
>
> While I'm at it, I'll offer my own rc.firewall patch again in the
> following message. Perhaps you'd care to review it in this context?
>
> cheers, Ian
>
> > (warning, cut-n-paste patch.. will not apply)
> >
> > Index: rc.firewall
> > ===================================================================
> > --- rc.firewall (revision 184948)
> > +++ rc.firewall (working copy)
> > @@ -231,19 +231,24 @@
> > ${fwcmd} add deny all from ${onet} to any in via ${iif}
> >
> > # Stop RFC1918 nets on the outside interface
> > - ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
> > - ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
> > - ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
> > + ${fwcmd} table 1 add 10.0.0.0/8
> > + ${fwcmd} table 1 add 172.16.0.0/12
> > + ${fwcmd} table 1 add 192.168.0.0/16
> >
> > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> > RESERVED-1,
> > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
> > E)
> > # on the outside interface
> > - ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
> > - ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
> > - ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
> > - ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
> > - ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
> > + ${fwcmd} table 1 add 0.0.0.0/8
> > + ${fwcmd} table 1 add 169.254.0.0/16
> > + ${fwcmd} table 1 add 192.0.2.0/24
> > + ${fwcmd} table 1 add 224.0.0.0/4
> > + ${fwcmd} table 1 add 240.0.0.0/4
> >
> > + # Stop the above nets with the table
> > +
> > + ${fwcmd} add deny all from any to "table(1)" via ${oif}
> > +
> > +
> > # Network Address Translation. This rule is placed here deliberately
> > # so that it does not interfere with the surrounding address-checking
> > # rules. If for example one of your internal LAN machines had its IP
> > @@ -260,19 +265,8 @@
> > esac
> >
> > # Stop RFC1918 nets on the outside interface
> > - ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
> > - ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
> > - ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
> > + ${fwcmd} add deny all from "table(1)" to any via ${oif}
> >
> > - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> > RESERVED-1,
> > - # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
> > E)
> > - # on the outside interface
> > - ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
> > - ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
> > - ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
> > - ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
> > - ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
> > -
> > # Allow TCP through if setup succeeded
> > ${fwcmd} add pass tcp from any to any established
> >
> > _______________________________________________
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> >
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491D375D.1070809>