Date: Sat, 22 Aug 2015 12:46:46 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: freebsd-net@FreeBSD.org Subject: a couple /etc/rc.firewall questions Message-ID: <201508222103.t7ML3gAx000794@gw.catspoiler.org>
next in thread | raw e-mail | index | archive | help
The example /etc/rc.firewall has provisions to use either in-kernel NAT or natd for the open and client firewall types, but the simple filewall type only has code for natd. Is there any reason that in-kernel NAT could not be used with the simple firewall type? After allowing connections to selected TCP ports and then denying all other incoming TCP setup connections from ${oif}, the simple firewall code in /etc/rc.firewall then permits all other TCP setup connections: # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup This is potentially undesirable since it allows unrestricted TCP connections between "me" and the inside network. When I changed this to ${fwcmd} add pass tcp from any to any out via ${oif} setup I was able to open TCP connections from the firewall box to the outside, but NATed connections from inside network to the outside were blocked. If I run "ipfw show", it appears that the TCP setup packets are falling through to the final implicit deny all rule, but I don't see any obvious reason.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508222103.t7ML3gAx000794>