Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Jan 2012 15:29:08 +0400
From:      Pavel Timofeev <timp87@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   firewall_nat_enable in rc.firewall
Message-ID:  <CAAoTqfs3eu2aA2a%2BeFpmu6%2B55eeMVpkcoZ_O3jjE5pUF6%2BjaZQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi all!

I have a small correction for /etc/rc.firewall

My conf
[hostname]# grep firewall /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="re0"
firewall_nat_flags="same_ports reset"

[hostname]# ipfw show
00050 5175447 4519882589 nat 123 ip4 from any to any via re0
00100       0          0 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
00400       0          0 deny ip from any to ::1
00500       0          0 deny ip from ::1 to any
00600       0          0 allow ipv6-icmp from :: to ff02::/16
00700       0          0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800       1         76 allow ipv6-icmp from fe80::/10 to ff02::/16
00900       0          0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000       0          0 allow ipv6-icmp from any to any ip6
icmp6types 2,135,136
65000     174      31790 allow ip from any to any
65535       0          0 deny ip from any to any

It seems to me very strange that first rule is nat rule.
Because the following rules won't be passed and they looks useless.



What do you think about this?
# diff -u /etc/rc.firewall /etc/rc.firewall.new
--- /etc/rc.firewall    2012-01-03 11:57:38.000000000 +0400
+++ /etc/rc.firewall.new        2012-01-27 11:53:40.000000000 +0400
@@ -169,7 +169,7 @@
                                firewall_nat_flags="if
${firewall_nat_interface} ${firewall_nat_flags}"
                        fi
                        ${fwcmd} nat 123 config log ${firewall_nat_flags}
-                       ${fwcmd} add 50 nat 123 ip4 from any to any
via ${firewall_nat_interface}
+                       ${fwcmd} add 64900 nat 123 ip4 from any to any
via ${firewall_nat_interface}
                fi
                ;;
        esac



There are some situations when I want use
firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and
ports.
If nat rule were 64900, I'd had more numbers for my own rules.
I hope you are understand my english =)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqfs3eu2aA2a%2BeFpmu6%2B55eeMVpkcoZ_O3jjE5pUF6%2BjaZQ>