From owner-freebsd-bugs Wed Jul 26 15:10:13 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 96A7D37C428 for ; Wed, 26 Jul 2000 15:10:07 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA86270; Wed, 26 Jul 2000 15:10:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Wed, 26 Jul 2000 15:10:06 -0700 (PDT) Message-Id: <200007262210.PAA86270@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Stephen Montgomery-Smith Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd Reply-To: Stephen Montgomery-Smith Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR conf/20197; it has been noted by GNATS. From: Stephen Montgomery-Smith To: freebsd-gnats-submit@FreeBSD.org, stephen@math.missouri.edu Cc: Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd Date: Wed, 26 Jul 2000 17:04:25 -0500 This is a multi-part message in MIME format. --------------5EB7029B0FF4405F3EB04E5B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sorry, what I have doesn't work - use this instead: -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu --------------5EB7029B0FF4405F3EB04E5B Content-Type: text/plain; charset=us-ascii; name="ddd" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ddd" --- /usr/etc-chg/4.0158/etc/rc.firewall Sat Jul 15 19:31:58 2000 +++ rc.firewall-default Wed Jul 26 17:01:10 2000 @@ -170,6 +170,17 @@ ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + # Change the outgoing natd rule to here, otherwise the RFC1918 + # rules might kill valid packets made by natd + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} delete 50 + ${fwcmd} add divert natd all from any to any out via ${natd_interface} + fi + ;; + esac + # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} @@ -177,6 +188,16 @@ ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + + # Change the incoming natd rule to here, otherwise the RFC1918 + # rules might kill valid packets made by natd + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} add divert natd all from any to any in via ${natd_interface} + fi + ;; + esac # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} --------------5EB7029B0FF4405F3EB04E5B-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message