Date: Sun, 24 Jan 2016 17:41:17 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: freebsd-net@freebsd.org Subject: ipfw NAT /etc/rc.firewall question Message-ID: <56A56F2D.2030200@pinyon.org>
next in thread | raw e-mail | index | archive | help
Hi,
I am making myself learn better how ipfw works. I am curious about
the optimal location of the NAT rule definition code. My immediate
application is a generic NATing gateway with an outside iface armored
up and an inside iface permitting general anarchy. The usual services
will be accessible to both sides. I plan to use kernel nat.
Looking at /etc/rc.firewall:
In the "open" | "client" section, natd/kernel nat are configured prior
to other rules.
In the "simple" section, natd only is configured after a bunch of
rules, and before a bunch more.
My question is, right after the natd configuration, are a bunch of
rules that specify deny rules for problematic addresses. Here's the
beginning and end of the section I'm curious about:
${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif}
if [ -n "$inet6" ]; then
# Stop unique local unicast address on the outside interface
${fwcmd} add deny all from fc00::/7 to any via ${oif6}
${fwcmd} add deny all from any to fc00::/7 via ${oif6}
...
${fwcmd} add deny all from ff05::/16 to any via ${oif6}
${fwcmd} add deny all from any to ff05::/16 via ${oif6}
fi
Reading the comment before the nat configuration and also many
comments provided by the goog, suggests it's better to define as many
rules as possible before the nat config.
But these rules are placed after. Can someone explain to me why this
is better|required? I suspect I am missing something possibly
important.
This is stable/10.
Thanks,
Russell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A56F2D.2030200>