Date: Sun, 24 Jan 2016 17:41:17 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: freebsd-net@freebsd.org Subject: ipfw NAT /etc/rc.firewall question Message-ID: <56A56F2D.2030200@pinyon.org>
next in thread | raw e-mail | index | archive | help
Hi, I am making myself learn better how ipfw works. I am curious about the optimal location of the NAT rule definition code. My immediate application is a generic NATing gateway with an outside iface armored up and an inside iface permitting general anarchy. The usual services will be accessible to both sides. I plan to use kernel nat. Looking at /etc/rc.firewall: In the "open" | "client" section, natd/kernel nat are configured prior to other rules. In the "simple" section, natd only is configured after a bunch of rules, and before a bunch more. My question is, right after the natd configuration, are a bunch of rules that specify deny rules for problematic addresses. Here's the beginning and end of the section I'm curious about: ${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif} if [ -n "$inet6" ]; then # Stop unique local unicast address on the outside interface ${fwcmd} add deny all from fc00::/7 to any via ${oif6} ${fwcmd} add deny all from any to fc00::/7 via ${oif6} ... ${fwcmd} add deny all from ff05::/16 to any via ${oif6} ${fwcmd} add deny all from any to ff05::/16 via ${oif6} fi Reading the comment before the nat configuration and also many comments provided by the goog, suggests it's better to define as many rules as possible before the nat config. But these rules are placed after. Can someone explain to me why this is better|required? I suspect I am missing something possibly important. This is stable/10. Thanks, Russell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A56F2D.2030200>