Date: Sun, 23 Aug 2015 17:52:54 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: hrs@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <201508240052.t7O0qsFF002623@gw.catspoiler.org> In-Reply-To: <20150823.084453.1715908115913144015.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Aug, Hiroki Sato wrote:
> Don Lewis <truckman@FreeBSD.org> wrote
> in <201508222103.t7ML3gAx000794@gw.catspoiler.org>:
>
> tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
> tr> or natd for the open and client firewall types, but the simple filewall
> tr> type only has code for natd. Is there any reason that in-kernel NAT
> tr> could not be used with the simple firewall type?
>
> I think there is no particular reason. Simple rule was just not updated.
Yeah, it seems to work if I add the rule for it in the appropriate
place.
> tr> After allowing connections to selected TCP ports and then denying all
> tr> other incoming TCP setup connections from ${oif}, the simple firewall
> tr> code in /etc/rc.firewall then permits all other TCP setup connections:
> tr> # Allow setup of any other TCP connection
> tr> ${fwcmd} add pass tcp from any to any setup
> tr> This is potentially undesirable since it allows unrestricted TCP
> tr> connections between "me" and the inside network. When I changed this to
> tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> tr> I was able to open TCP connections from the firewall box to the outside,
> tr> but NATed connections from inside network to the outside were blocked.
> tr> If I run "ipfw show", it appears that the TCP setup packets are falling
> tr> through to the final implicit deny all rule, but I don't see any obvious
> tr> reason.
>
> A TCP setup packet coming from a host on the internal LAN to the NAPT
> router falls into the last deny-all rule because it does not match if
> you added "out via ${oif}" to that rule. Does the following
> additional rule work for you?
>
> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> ${fwcmd} add pass tcp from any to not me in via ${iif} setup
That works for now, but won't do the correct thing when I subdivide my
internal network because it will allow unrestricted connections between
the internal subnets. What I'd really like is something like:
${fwcmd} add pass tcp from any to not me,${inet} setup
but that isn't a valid rule. I ended up adding a couple of deny
rules for me and ${inet} before the wildcard pass allow rule. I had to
make sure that some other more specific rules allowing connections
between me and the inside were before the new deny rules.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508240052.t7O0qsFF002623>