From owner-freebsd-net@freebsd.org Sat Aug 22 21:03:49 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7EE4C9BE2FA for ; Sat, 22 Aug 2015 21:03:49 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (cl-1657.chi-02.us.sixxs.net [IPv6:2001:4978:f:678::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 277A11C01 for ; Sat, 22 Aug 2015 21:03:49 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id t7ML3gAx000794 for ; Sat, 22 Aug 2015 14:03:45 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201508222103.t7ML3gAx000794@gw.catspoiler.org> Date: Sat, 22 Aug 2015 12:46:46 -0700 (PDT) From: Don Lewis Subject: a couple /etc/rc.firewall questions To: freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2015 21:03:49 -0000 The example /etc/rc.firewall has provisions to use either in-kernel NAT or natd for the open and client firewall types, but the simple filewall type only has code for natd. Is there any reason that in-kernel NAT could not be used with the simple firewall type? After allowing connections to selected TCP ports and then denying all other incoming TCP setup connections from ${oif}, the simple firewall code in /etc/rc.firewall then permits all other TCP setup connections: # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup This is potentially undesirable since it allows unrestricted TCP connections between "me" and the inside network. When I changed this to ${fwcmd} add pass tcp from any to any out via ${oif} setup I was able to open TCP connections from the firewall box to the outside, but NATed connections from inside network to the outside were blocked. If I run "ipfw show", it appears that the TCP setup packets are falling through to the final implicit deny all rule, but I don't see any obvious reason.