Date: Thu, 13 Apr 2000 22:00:02 +0200 (CEST) From: Joshua Goodall <joshua@roughtrade.net> To: Ron Smith <ronnetron@hotmail.com> Cc: freebsd-security@FreeBSD.ORG, support@cdrom.com Subject: Re: NAT and /etc/rc.firewall Message-ID: <Pine.BSF.4.21.0004132154540.20203-100000@juice.shallow.net> In-Reply-To: <20000413002323.98449.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a known problem. Since the implications compromise natd security, it should have been fixed in the distro. It isn't in 4.0-STABLE. However there is a potential fix. See http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 -- Joshua Goodall "Bandwidth Evangelist" On Wed, 12 Apr 2000, Ron Smith wrote: > bash-2.03# uname -a > FreeBSD stargate.crcfx.com 3.4-RELEASE FreeBSD 3.4-RELEASE #0: Fri Mar > 31 14:39:09 PST 2000 root@stargate.crcfx..com:/usr/src/sys/compile/STARGATE > i386 > > I recompiled the kernal with: > > options IPFIREWALL > options IPDIVERT > > The problem is as follows: > > NAT only works with 'firewall_type="open". > > Here are the particulars: > > bash-2.03$ cat /etc/rc.conf > > # This file now contains just the overrides from /etc/defaults/rc.conf > # please make all changes to this file. > > linux_enable="YES" > moused_port="/dev/cuaa0" > moused_type="microsoft" > moused_enable="YES" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > gateway_enable="YES" > defaultrouter="63.203.c.d" > natd_enable="YES" > natd_interface="pn0" > ifconfig_fxp0="inet 192.168.c.d netmask 255.255.255.0" > ifconfig_pn0="inet 63.203.c.d netmask 255.255.255.248" > hostname="stargate.crcfx.com" > named_enable="YES" > ~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~~~~~~~~ > Following is a portion of 'cat /etc/rc.firewall' > > elif [ "${firewall_type}" = "simple" ]; then > > ############ > # This is a prototype setup for a simple firewall. Configure this > machine > # as a named server and ntp server, and point all the machines on > the inside > # at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.203.c.d" #cidr given by the ISP; one below the gateway > omask="255.255.255.248" > oip="63.203.c.d" # Static IP address of the external NIC > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.168.c.d" # IP range of internal LAN > imask="255.255.255.0" > iip="192.168.c.d" # IP address of the internal NIC > > NAT doesn't work for anyone on the LAN trying to reach the internet through > 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you > think the above setting are correct, and in the right place. > > Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing > something. Maybe there's something I'm missing altogether when I try to go > 'firewall_type="simple"' and use those stock rules, as is, in > '/etc/rc.firewall'. If I need to make changes there, could someone mail me a > sample of some rules that work for NAT+ipfw. > > TIA > Ron Smith > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004132154540.20203-100000>