From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 27 12:00:06 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15F15106564A for ; Fri, 27 Jan 2012 12:00:06 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8423B8FC12 for ; Fri, 27 Jan 2012 12:00:05 +0000 (UTC) Received: by lahj13 with SMTP id j13so1254604lah.13 for ; Fri, 27 Jan 2012 04:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=v0Ssq7MRgRe76XJGVeTf12FeKv2rSw6tHuBPt/+WlGo=; b=udqTz7ZIXzGabxIC0IgI2PtQSqTIT+WTaCFQL7csDjTgtLDUv6WdJCJWLBji2R/sCc tNXd1egV7xWMJ1qrjgOj8vm5HeP/ejLePC87oXgcScEmgX6raVdaFCO0DQwtG/akfbaI uylwaxDvfAvOruCB1mNkR+onF4j880BWVhKdY= MIME-Version: 1.0 Received: by 10.152.112.100 with SMTP id ip4mr3028834lab.11.1327663748587; Fri, 27 Jan 2012 03:29:08 -0800 (PST) Received: by 10.152.147.36 with HTTP; Fri, 27 Jan 2012 03:29:08 -0800 (PST) Date: Fri, 27 Jan 2012 15:29:08 +0400 Message-ID: From: Pavel Timofeev To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: firewall_nat_enable in rc.firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 12:00:06 -0000 Hi all! I have a small correction for /etc/rc.firewall My conf [hostname]# grep firewall /etc/rc.conf firewall_enable="YES" firewall_type="open" firewall_nat_enable="YES" firewall_nat_interface="re0" firewall_nat_flags="same_ports reset" [hostname]# ipfw show 00050 5175447 4519882589 nat 123 ip4 from any to any via re0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 1 76 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 174 31790 allow ip from any to any 65535 0 0 deny ip from any to any It seems to me very strange that first rule is nat rule. Because the following rules won't be passed and they looks useless. What do you think about this? # diff -u /etc/rc.firewall /etc/rc.firewall.new --- /etc/rc.firewall 2012-01-03 11:57:38.000000000 +0400 +++ /etc/rc.firewall.new 2012-01-27 11:53:40.000000000 +0400 @@ -169,7 +169,7 @@ firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} - ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} + ${fwcmd} add 64900 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac There are some situations when I want use firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and ports. If nat rule were 64900, I'd had more numbers for my own rules. I hope you are understand my english =)