From owner-freebsd-net@freebsd.org Mon Jan 25 00:41:20 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89DE2A45BFB for ; Mon, 25 Jan 2016 00:41:20 +0000 (UTC) (envelope-from rcarter@pinyon.org) Received: from quine.pinyon.org (quine.pinyon.org [65.101.5.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6D5ACBD9 for ; Mon, 25 Jan 2016 00:41:20 +0000 (UTC) (envelope-from rcarter@pinyon.org) Received: by quine.pinyon.org (Postfix, from userid 122) id 94D5416026A; Sun, 24 Jan 2016 17:41:19 -0700 (MST) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on quine.pinyon.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 Received: from feyerabend.n1.pinyon.org (acipenser.esturion.net [65.101.5.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by quine.pinyon.org (Postfix) with ESMTPSA id 9939C16015F for ; Sun, 24 Jan 2016 17:41:17 -0700 (MST) To: freebsd-net@freebsd.org From: "Russell L. Carter" Subject: ipfw NAT /etc/rc.firewall question Message-ID: <56A56F2D.2030200@pinyon.org> Date: Sun, 24 Jan 2016 17:41:17 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2016 00:41:20 -0000 Hi, I am making myself learn better how ipfw works. I am curious about the optimal location of the NAT rule definition code. My immediate application is a generic NATing gateway with an outside iface armored up and an inside iface permitting general anarchy. The usual services will be accessible to both sides. I plan to use kernel nat. Looking at /etc/rc.firewall: In the "open" | "client" section, natd/kernel nat are configured prior to other rules. In the "simple" section, natd only is configured after a bunch of rules, and before a bunch more. My question is, right after the natd configuration, are a bunch of rules that specify deny rules for problematic addresses. Here's the beginning and end of the section I'm curious about: ${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif} if [ -n "$inet6" ]; then # Stop unique local unicast address on the outside interface ${fwcmd} add deny all from fc00::/7 to any via ${oif6} ${fwcmd} add deny all from any to fc00::/7 via ${oif6} ... ${fwcmd} add deny all from ff05::/16 to any via ${oif6} ${fwcmd} add deny all from any to ff05::/16 via ${oif6} fi Reading the comment before the nat configuration and also many comments provided by the goog, suggests it's better to define as many rules as possible before the nat config. But these rules are placed after. Can someone explain to me why this is better|required? I suspect I am missing something possibly important. This is stable/10. Thanks, Russell