From owner-freebsd-net@freebsd.org  Sat Aug 22 23:45:29 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6A6C9C010B
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 22 Aug 2015 23:45:29 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from mail.allbsd.org (gatekeeper.allbsd.org
 [IPv6:2001:2f0:104:e001::32])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.allbsd.org", Issuer "RapidSSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id BE7FA1FF8;
 Sat, 22 Aug 2015 23:45:28 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from alph.d.allbsd.org (alph.d.allbsd.org
 [IPv6:2001:2f0:104:e010:862b:2bff:febc:8956] (may be forged))
 (authenticated bits=56)
 by mail.allbsd.org (8.14.9/8.14.9) with ESMTP id t7MNjEIm020298
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Sun, 23 Aug 2015 08:45:16 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0)
 by alph.d.allbsd.org (8.14.9/8.14.9) with ESMTP id t7MNjChq081452;
 Sun, 23 Aug 2015 08:45:14 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Date: Sun, 23 Aug 2015 08:44:53 +0900 (JST)
Message-Id: <20150823.084453.1715908115913144015.hrs@allbsd.org>
To: truckman@FreeBSD.org
Cc: freebsd-net@FreeBSD.org
Subject: Re: a couple /etc/rc.firewall questions
From: Hiroki Sato <hrs@FreeBSD.org>
In-Reply-To: <201508222103.t7ML3gAx000794@gw.catspoiler.org>
References: <201508222103.t7ML3gAx000794@gw.catspoiler.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart(Sun_Aug_23_08_44_53_2015_031)--"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.6 at gatekeeper.allbsd.org
X-Virus-Status: Clean
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (mail.allbsd.org [IPv6:2001:2f0:104:e001::32]);
 Sun, 23 Aug 2015 08:45:21 +0900 (JST)
X-Spam-Status: No, score=-98.0 required=13.0 tests=CONTENT_TYPE_PRESENT,
 RCVD_IN_AHBL, RCVD_IN_AHBL_PROXY, RCVD_IN_AHBL_SPAM, RDNS_NONE,
 USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 gatekeeper.allbsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Aug 2015 23:45:29 -0000

----Security_Multipart(Sun_Aug_23_08_44_53_2015_031)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Don Lewis <truckman@FreeBSD.org> wrote
  in <201508222103.t7ML3gAx000794@gw.catspoiler.org>:

tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
tr> or natd for the open and client firewall types, but the simple filewall
tr> type only has code for natd.  Is there any reason that in-kernel NAT
tr> could not be used with the simple firewall type?

 I think there is no particular reason.  Simple rule was just not updated.

tr> After allowing connections to selected TCP ports and then denying all
tr> other incoming TCP setup connections from ${oif}, the simple firewall
tr> code in /etc/rc.firewall then permits all other TCP setup connections:
tr> 	# Allow setup of any other TCP connection
tr> 	${fwcmd} add pass tcp from any to any setup
tr> This is potentially undesirable since it allows unrestricted TCP
tr> connections between "me" and the inside network.  When I changed this to
tr> 	${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> I was able to open TCP connections from the firewall box to the outside,
tr> but NATed connections from inside network to the outside were blocked.
tr> If I run "ipfw show", it appears that the TCP setup packets are falling
tr> through to the final implicit deny all rule, but I don't see any obvious
tr> reason.

 A TCP setup packet coming from a host on the internal LAN to the NAPT
 router falls into the last deny-all rule because it does not match if
 you added "out via ${oif}" to that rule.  Does the following
 additional rule work for you?

 ${fwcmd} add pass tcp from any to any out via ${oif} setup
 ${fwcmd} add pass tcp from any to not me in via ${iif} setup

-- Hiroki

----Security_Multipart(Sun_Aug_23_08_44_53_2015_031)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlXZCXUACgkQTyzT2CeTzy3c0gCaAnwy7kqPzgurLxz6zWIVahSh
m3gAoKGK41yyfHtdKEYLJMevRu/nw0o3
=V1kB
-----END PGP SIGNATURE-----

----Security_Multipart(Sun_Aug_23_08_44_53_2015_031)----