Date: Sun, 23 Aug 2015 17:52:54 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: hrs@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <201508240052.t7O0qsFF002623@gw.catspoiler.org> In-Reply-To: <20150823.084453.1715908115913144015.hrs@allbsd.org>
index | next in thread | previous in thread | raw e-mail
On 23 Aug, Hiroki Sato wrote:
> Don Lewis <truckman@FreeBSD.org> wrote
> in <201508222103.t7ML3gAx000794@gw.catspoiler.org>:
>
> tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
> tr> or natd for the open and client firewall types, but the simple filewall
> tr> type only has code for natd. Is there any reason that in-kernel NAT
> tr> could not be used with the simple firewall type?
>
> I think there is no particular reason. Simple rule was just not updated.
Yeah, it seems to work if I add the rule for it in the appropriate
place.
> tr> After allowing connections to selected TCP ports and then denying all
> tr> other incoming TCP setup connections from ${oif}, the simple firewall
> tr> code in /etc/rc.firewall then permits all other TCP setup connections:
> tr> # Allow setup of any other TCP connection
> tr> ${fwcmd} add pass tcp from any to any setup
> tr> This is potentially undesirable since it allows unrestricted TCP
> tr> connections between "me" and the inside network. When I changed this to
> tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> tr> I was able to open TCP connections from the firewall box to the outside,
> tr> but NATed connections from inside network to the outside were blocked.
> tr> If I run "ipfw show", it appears that the TCP setup packets are falling
> tr> through to the final implicit deny all rule, but I don't see any obvious
> tr> reason.
>
> A TCP setup packet coming from a host on the internal LAN to the NAPT
> router falls into the last deny-all rule because it does not match if
> you added "out via ${oif}" to that rule. Does the following
> additional rule work for you?
>
> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> ${fwcmd} add pass tcp from any to not me in via ${iif} setup
That works for now, but won't do the correct thing when I subdivide my
internal network because it will allow unrestricted connections between
the internal subnets. What I'd really like is something like:
${fwcmd} add pass tcp from any to not me,${inet} setup
but that isn't a valid rule. I ended up adding a couple of deny
rules for me and ${inet} before the wildcard pass allow rule. I had to
make sure that some other more specific rules allowing connections
between me and the inside were before the new deny rules.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508240052.t7O0qsFF002623>