From owner-freebsd-bugs Wed Jul 26 10:40: 7 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D7B4437BFC0 for ; Wed, 26 Jul 2000 10:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id KAA51322; Wed, 26 Jul 2000 10:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from cauchy.math.missouri.edu (cauchy.math.missouri.edu [128.206.49.166]) by hub.freebsd.org (Postfix) with ESMTP id E1AE437BF06 for ; Wed, 26 Jul 2000 10:33:05 -0700 (PDT) (envelope-from stephen@cauchy.math.missouri.edu) Received: (from stephen@localhost) by cauchy.math.missouri.edu (8.9.3/8.9.1) id MAA35440; Wed, 26 Jul 2000 12:33:04 -0500 (CDT) Message-Id: <200007261733.MAA35440@cauchy.math.missouri.edu> Date: Wed, 26 Jul 2000 12:33:04 -0500 (CDT) From: Stephen Montgomery-Smith Reply-To: stephen@math.missouri.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 20197 >Category: conf >Synopsis: rc.firewall with firewall_type=simple doesn't work with natd >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 26 10:40:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Stephen Montgomery-Smith >Release: FreeBSD 4.1-RC i386 >Organization: University of Missouri >Environment: Using the default /etc/rc.firewall with firewall_type=simple ; using natd ; Having an internal network that uses any of the unregistered ip numbers 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. >Description: Incoming packets that get translated by natd to be on the internal network are killed by the rules following the line # Stop RFC1918 nets on the outside interface >How-To-Repeat: Happens every time >Fix: Have the natd divert rule come after the lines associated with # Stop RFC1918 nets on the outside interface Here is a patch to /etc/rc.firewall --- /usr/etc-chg/4.0158/etc/rc.firewall Sat Jul 15 19:31:58 2000 +++ rc.firewall Wed Jul 26 02:28:01 2000 @@ -178,6 +178,17 @@ ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + # Change the natd rule to here, otherwise the RFC1918 rules might + # kill valid packets made by natd + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} delete 50 + ${fwcmd} add divert natd all from any to any via ${natd_interface} + fi + ;; + esac + # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} >Release-Note: >Audit-Trail: >Unformatted: Stephen Montgomery-Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message