Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jul 2000 12:33:04 -0500 (CDT)
From:      Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   conf/20197: rc.firewall with firewall_type=simple doesn't work with natd
Message-ID:  <200007261733.MAA35440@cauchy.math.missouri.edu>
next in thread | raw e-mail | index | archive | help 

>Number:         20197
>Category:       conf
>Synopsis:       rc.firewall with firewall_type=simple doesn't work with natd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 10:40:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Stephen Montgomery-Smith
>Release:        FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:

Using the default /etc/rc.firewall with firewall_type=simple ;
using natd ;
Having an internal network that uses any of the unregistered ip numbers
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

>Description:

Incoming packets that get translated by natd to be on the internal
network are killed by the rules following the line
# Stop RFC1918 nets on the outside interface

>How-To-Repeat:

Happens every time

>Fix:

Have the natd divert rule come after the lines associated with
# Stop RFC1918 nets on the outside interface
Here is a patch to /etc/rc.firewall


--- /usr/etc-chg/4.0158/etc/rc.firewall	Sat Jul 15 19:31:58 2000
+++ rc.firewall	Wed Jul 26 02:28:01 2000
@@ -178,6 +178,17 @@
 	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 
+	# Change the natd rule to here, otherwise the RFC1918 rules might
+	# kill valid packets made by natd
+	case ${natd_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${natd_interface}" ]; then
+		${fwcmd} delete 50
+	      	${fwcmd} add divert natd all from any to any via ${natd_interface}
+		fi
+		;;
+	esac
+
 	# Stop draft-manning-dsua-01.txt nets on the outside interface
 	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}


>Release-Note:
>Audit-Trail:
>Unformatted:
 Stephen Montgomery-Smith


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007261733.MAA35440>