Site Navigation

Date:      Wed, 8 Nov 2000 13:10:54 -0800
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Marko Cuk <cuk@cuk.nu>
Cc:        freebsd-stable@FreeBSD.ORG
Subject:   Re: rc.firewall script & natd on 4.1.1
Message-ID:  <20001108131054.B84107@149.211.6.64.reflexcom.com>
In-Reply-To: <3A072612.F1E47C22@cuk.nu>; from cuk@cuk.nu on Mon, Nov 06, 2000 at 10:44:02PM %2B0100
References:  <3A05D143.8DF86396@cuk.nu> <20001105144537.Z75251@149.211.6.64.reflexcom.com> <3A072612.F1E47C22@cuk.nu>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Mon, Nov 06, 2000 at 10:44:02PM +0100, Marko Cuk wrote:
> 
> 
> "Crist J . Clark" wrote:
> 
> >
> >
> > Details please? The natd(8) process is not actually started from
> > rc.firewall, but from rc.network. In which of these is the supposed
> > breakage? Or do you mean the divert(4) rule in rc.firewall is not
> > being added properly?
> 
> That's right !
> 
> > Could you post the actual problem and the
> > versions of the file(s) you are using?
> > --
> > Crist J. Clark                           cjclark@alum.mit.edu
> 
> Bad file:
> 
> ############
> # Setup system for firewall service.
> # $FreeBSD: src/etc/rc.firewall,v 1.30.2.6 2000/09/21 07:44:53 ru Exp $
> 
> And that one works and adds natd divert rule to ipfw correctly
> 
> # Setup system for firewall service.
> # $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $

Well, here is the diff of those two (the CVSWeb interface rocks,
BTW). The changes between the two were actually done so that the
divert rule would work correctly for a NAT setup with RFC1918
addresses.

However, one thing I just realized, in the old version, the divert(4)
rule is added provided that 'natd_enable="YES"' and 'natd_interface'
has a non-null value. Now, that has to be true, plus you have to have
'firewall_type' set to one of the valid types in the default
rc.firewall. Might that be your problem?

If not, could you run 'sh -x rc.firewall' to get some debugging output
to check what is going on?

===================================================================
RCS file: /home/ncvs/src/etc/rc.firewall,v
retrieving revision 1.30.2.4
retrieving revision 1.30.2.6
diff -u -p -r1.30.2.4 -r1.30.2.6
--- src/etc/rc.firewall 2000/05/28 19:17:15     1.30.2.4
+++ src/etc/rc.firewall 2000/09/21 07:44:53     1.30.2.6
@@ -1,6 +1,6 @@
 ############
 # Setup system for firewall service.
-# $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $
+# $FreeBSD: src/etc/rc.firewall,v 1.30.2.6 2000/09/21 07:44:53 ru Exp $
 
 # Suck in the configuration variables.
 if [ -r /etc/defaults/rc.conf ]; then
@@ -67,17 +67,23 @@ esac
 ${fwcmd} -f flush
 
 ############
-# These rules are required for using natd.  All packets are passed to
-# natd before they encounter your remaining rules.  The firewall rules
-# will then be run again on each packet after translation by natd,
-# minus any divert rules (see natd(8)).
-#
-case ${natd_enable} in
-[Yy][Ee][Ss])
-       if [ -n "${natd_interface}" ]; then
-             ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-       fi
-       ;;
+# Network Address Translation.  All packets are passed to natd(8)
+# before they encounter your remaining rules.  The firewall rules
+# will then be run again on each packet after translation by natd
+# starting at the rule number following the divert rule.
+#
+# For ``simple'' firewall type the divert rule should be put to a
+# different place to not interfere with address-checking rules.
+# 
+case ${firewall_type} in
+[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+       case ${natd_enable} in
+       [Yy][Ee][Ss])
+               if [ -n "${natd_interface}" ]; then
+                       ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
+               fi
+               ;;
+       esac
 esac
 
 ############
@@ -171,24 +177,47 @@ case ${firewall_type} in
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
 
        # Stop RFC1918 nets on the outside interface
-       ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
-       ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
-       ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 
-       # Stop draft-manning-dsua-01.txt nets on the outside interface
-       ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+       # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
+       # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
+       # on the outside interface
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
-       ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
-       ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
-       ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
-       ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
+
+       # Network Address Translation.  This rule is placed here deliberately
+       # so that it does not interfere with the surrounding address-checking
+       # rules.  If for example one of your internal LAN machines had its IP
+       # address set to 192.0.2.1 then an incoming packet for it after being
+       # translated by natd(8) would match the `deny' rule above.  Similarly
+       # an outgoing packet originated from it before being translated would
+       # match the `deny' rule below.
+       case ${natd_enable} in
+       [Yy][Ee][Ss])
+               if [ -n "${natd_interface}" ]; then
+                       ${fwcmd} add divert natd all from any to any via ${natd_interface}
+               fi
+               ;;
+       esac
+
+       # Stop RFC1918 nets on the outside interface
+       ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
+       ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
+       ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
+
+       # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
+       # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
+       # on the outside interface
+       ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+       ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
+       ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
+       ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
+       ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 
        # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established

-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001108131054.B84107>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact