Date: Sat, 22 Aug 2015 12:46:46 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: freebsd-net@FreeBSD.org Subject: a couple /etc/rc.firewall questions Message-ID: <201508222103.t7ML3gAx000794@gw.catspoiler.org>
index | next in thread | raw e-mail
The example /etc/rc.firewall has provisions to use either in-kernel NAT
or natd for the open and client firewall types, but the simple filewall
type only has code for natd. Is there any reason that in-kernel NAT
could not be used with the simple firewall type?
After allowing connections to selected TCP ports and then denying all
other incoming TCP setup connections from ${oif}, the simple firewall
code in /etc/rc.firewall then permits all other TCP setup connections:
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
This is potentially undesirable since it allows unrestricted TCP
connections between "me" and the inside network. When I changed this to
${fwcmd} add pass tcp from any to any out via ${oif} setup
I was able to open TCP connections from the firewall box to the outside,
but NATed connections from inside network to the outside were blocked.
If I run "ipfw show", it appears that the TCP setup packets are falling
through to the final implicit deny all rule, but I don't see any obvious
reason.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508222103.t7ML3gAx000794>