From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 08:31:26 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7AD81065675; Fri, 14 Nov 2008 08:31:26 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id 9A9EA8FC17; Fri, 14 Nov 2008 08:31:26 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from unknown (HELO julian-mac.elischer.org) ([10.251.60.45]) by smtp-outbound.ironport.com with ESMTP; 14 Nov 2008 00:31:26 -0800 Message-ID: <491D375D.1070809@elischer.org> Date: Fri, 14 Nov 2008 00:31:25 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: Ian Smith References: <491CD94F.3020207@elischer.org> <20081114133913.K70117@sola.nimnet.asn.au> In-Reply-To: <20081114133913.K70117@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: rc.firewall quick change X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 08:31:26 -0000 Ian Smith wrote: > On Thu, 13 Nov 2008, Julian Elischer wrote: > > At home I use the following change. > > > > > > basically, instead of doing 8 rules before and after the nat, > > use a table and to 1 rule on each side. > > > > > > any objections? > > Only that if people are already using tables for anything, chances are > they've already used table 1 (well, it's the first one I used :) How > about using table 127 for this as a rather less likely prior choice? yes I thought of that.. in fact it should be ${BLOCKTABLE} and let the user define what he wants. (defaulting to 99 or something). Remember though that a user wouldn't be using 'simple' if he's using his own tables etc. > > Apart from that, this will speed up 'simple' on a path every packet > takes, which has to be a good thing. > > While I'm at it, I'll offer my own rc.firewall patch again in the > following message. Perhaps you'd care to review it in this context? > > cheers, Ian > > > (warning, cut-n-paste patch.. will not apply) > > > > Index: rc.firewall > > =================================================================== > > --- rc.firewall (revision 184948) > > +++ rc.firewall (working copy) > > @@ -231,19 +231,24 @@ > > ${fwcmd} add deny all from ${onet} to any in via ${iif} > > > > # Stop RFC1918 nets on the outside interface > > - ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > > - ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} > > - ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > + ${fwcmd} table 1 add 10.0.0.0/8 > > + ${fwcmd} table 1 add 172.16.0.0/12 > > + ${fwcmd} table 1 add 192.168.0.0/16 > > > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > > RESERVED-1, > > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class > > E) > > # on the outside interface > > - ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > > - ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > > - ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > > - ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > > - ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} > > + ${fwcmd} table 1 add 0.0.0.0/8 > > + ${fwcmd} table 1 add 169.254.0.0/16 > > + ${fwcmd} table 1 add 192.0.2.0/24 > > + ${fwcmd} table 1 add 224.0.0.0/4 > > + ${fwcmd} table 1 add 240.0.0.0/4 > > > > + # Stop the above nets with the table > > + > > + ${fwcmd} add deny all from any to "table(1)" via ${oif} > > + > > + > > # Network Address Translation. This rule is placed here deliberately > > # so that it does not interfere with the surrounding address-checking > > # rules. If for example one of your internal LAN machines had its IP > > @@ -260,19 +265,8 @@ > > esac > > > > # Stop RFC1918 nets on the outside interface > > - ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > > - ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > > - ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > + ${fwcmd} add deny all from "table(1)" to any via ${oif} > > > > - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > > RESERVED-1, > > - # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class > > E) > > - # on the outside interface > > - ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > > - ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > > - ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > > - ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > > - ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > > - > > # Allow TCP through if setup succeeded > > ${fwcmd} add pass tcp from any to any established > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"