Date: Sun, 23 Aug 2015 08:44:53 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: truckman@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <20150823.084453.1715908115913144015.hrs@allbsd.org> In-Reply-To: <201508222103.t7ML3gAx000794@gw.catspoiler.org> References: <201508222103.t7ML3gAx000794@gw.catspoiler.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Don Lewis <truckman@FreeBSD.org> wrote
in <201508222103.t7ML3gAx000794@gw.catspoiler.org>:
tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
tr> or natd for the open and client firewall types, but the simple filewall
tr> type only has code for natd. Is there any reason that in-kernel NAT
tr> could not be used with the simple firewall type?
I think there is no particular reason. Simple rule was just not updated.
tr> After allowing connections to selected TCP ports and then denying all
tr> other incoming TCP setup connections from ${oif}, the simple firewall
tr> code in /etc/rc.firewall then permits all other TCP setup connections:
tr> # Allow setup of any other TCP connection
tr> ${fwcmd} add pass tcp from any to any setup
tr> This is potentially undesirable since it allows unrestricted TCP
tr> connections between "me" and the inside network. When I changed this to
tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> I was able to open TCP connections from the firewall box to the outside,
tr> but NATed connections from inside network to the outside were blocked.
tr> If I run "ipfw show", it appears that the TCP setup packets are falling
tr> through to the final implicit deny all rule, but I don't see any obvious
tr> reason.
A TCP setup packet coming from a host on the internal LAN to the NAPT
router falls into the last deny-all rule because it does not match if
you added "out via ${oif}" to that rule. Does the following
additional rule work for you?
${fwcmd} add pass tcp from any to any out via ${oif} setup
${fwcmd} add pass tcp from any to not me in via ${iif} setup
-- Hiroki
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlXZCXUACgkQTyzT2CeTzy3c0gCaAnwy7kqPzgurLxz6zWIVahSh
m3gAoKGK41yyfHtdKEYLJMevRu/nw0o3
=V1kB
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150823.084453.1715908115913144015.hrs>