Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Sep 1999 12:45:11 +1000 (EST)
From:      Gregory Bond <gnb@itga.com.au>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   conf/13769: [PATCH] NATD & rc.firewall "simple" not compatible
Message-ID:  <199909160245.MAA15823@hellcat.itga.com.au>

next in thread | raw e-mail | index | archive | help

>Number:         13769
>Category:       conf
>Synopsis:       NATD is not compatible with the "simple" firewall as shipped
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 15 19:50:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
ITG Australia Ltd
>Environment:

FreeBSD hellcat.itga.com.au 3.2-STABLE FreeBSD 3.2-STABLE #1: Mon Aug  2 14:37:40 EST 1999     toor@hellcat.itga.com.au:/usr/src/sys/compile/Hellcat  i386

>Description:

As shipped, the rc.firewall file contains a "simple" firewall
config.  Presumably, many users will base their configs on this
example.  This config attempts to trap spoofing of addresses on
RFC1918 nets from using the external interface.  If NATD is in use
and your internal net is an RFC1918 net, then these anti-spoofing
rules trap legitimate inbound packets that have been processed by
natd. The end result is that you can't actually use natd to connect
to outside hosts.  The fix is to apply the RFC1918 traps only to
incoming or outgoing packets as required.

As an aside, both the natd divert rule and the somewhat important
'any to any via lo0' rule both wind up as rule # 100.

The attached patch fixes both these problems.

>How-To-Repeat:

Use a 192.168.x.y internal network and NATD.  Add a rule like

	$fwcmd add pass log tcp from ${mel} to any ssh out via ${oif} setup

and note that outgoing packets are accepted by this rule and sent to the
internet, but incoming packets are trapped by the rule that says 

	$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

and no outgoing ssh is possible.

>Fix:
	
--- etc/rc.firewall.orig	Thu Sep 16 12:31:07 1999
+++ etc/rc.firewall	Thu Sep 16 12:32:45 1999
@@ -79,7 +79,7 @@
 
 ############
 # Only in rare cases do you want to change these rules
-$fwcmd add 100 pass all from any to any via lo0
+$fwcmd add 150 pass all from any to any via lo0
 $fwcmd add 200 deny all from any to 127.0.0.0/8
 
 
@@ -151,12 +151,12 @@
     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
 
     # Stop RFC1918 nets on the outside interface
-    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
-    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
-    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
+    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
+    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
+    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
 
     # Allow TCP through if setup succeeded
     $fwcmd add pass tcp from any to any established

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909160245.MAA15823>