From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 02:18:34 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FFBF1065680; Fri, 14 Nov 2008 02:18:34 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id E803D8FC12; Fri, 14 Nov 2008 02:18:33 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from unknown (HELO julian-mac.elischer.org) ([10.251.60.45]) by smtp-outbound.ironport.com with ESMTP; 13 Nov 2008 17:50:09 -0800 Message-ID: <491CD94F.3020207@elischer.org> Date: Thu, 13 Nov 2008 17:50:07 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: FreeBSD Net , ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: rc.firewall quick change X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 02:18:34 -0000 At home I use the following change. basically, instead of doing 8 rules before and after the nat, use a table and to 1 rule on each side. any objections? (warning, cut-n-paste patch.. will not apply) Index: rc.firewall =================================================================== --- rc.firewall (revision 184948) +++ rc.firewall (working copy) @@ -231,19 +231,24 @@ ${fwcmd} add deny all from ${onet} to any in via ${iif} # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} - ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} - ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + ${fwcmd} table 1 add 10.0.0.0/8 + ${fwcmd} table 1 add 172.16.0.0/12 + ${fwcmd} table 1 add 192.168.0.0/16 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface - ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} - ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} - ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} - ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} - ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} + ${fwcmd} table 1 add 0.0.0.0/8 + ${fwcmd} table 1 add 169.254.0.0/16 + ${fwcmd} table 1 add 192.0.2.0/24 + ${fwcmd} table 1 add 224.0.0.0/4 + ${fwcmd} table 1 add 240.0.0.0/4 + # Stop the above nets with the table + + ${fwcmd} add deny all from any to "table(1)" via ${oif} + + # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP @@ -260,19 +265,8 @@ esac # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} - ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} - ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} + ${fwcmd} add deny all from "table(1)" to any via ${oif} - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, - # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) - # on the outside interface - ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} - ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} - ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} - ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} - ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} - # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established