From owner-freebsd-questions Tue Jan 7 4: 6: 3 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 411B037B401 for ; Tue, 7 Jan 2003 04:06:01 -0800 (PST) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33BD943EA9 for ; Tue, 7 Jan 2003 04:05:54 -0800 (PST) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id XAA19015; Tue, 7 Jan 2003 23:05:43 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 7 Jan 2003 23:05:43 +1100 (EST) From: Ian Smith To: Serg Repalov Cc: questions@FreeBSD.org Subject: Re: question about /etc/rc.firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Serg, On Mon, 6 Jan 2003, questions-digest V5 #1826 wrote: > Date: Mon, 6 Jan 2003 16:07:20 +0300 > From: Serg Repalov > Subject: question about /etc/rc.firewall > > Hi. > > Can anyone make clear for me one thing. In file /etc/rc.firewall > we have two sections which stops RFC1918 and draft-manning-dsua-03.txt > networks: > # Stop RFC1918 nets on the outside interface > [ ... ] > > # Network Address Translation. This rule is placed here deliberately > [ ... ] > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add divert natd all from any to any via ${natd_interface} > fi > ;; > esac > > # Stop RFC1918 nets on the outside interface > [ ... ] > > If we don't using NAT then we have _two_ sections of _same_ rules, No, they're not the same rules - though their comments could a little more explicit. The below is quoted from a FreeBSD 4.5-RELEASE /etc/rc.firewall, but I expect it's still much the same in 4.7. First section: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} [etc] Then the NAT rules section you quoted, then: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} [etc] The first section stops any incoming traffic from outside TO any RFC1918 addresess, and the second stops any traffic FROM our RFC1918 addresses reaching the outside, ie it prevents us from spoofing these addresses (or handles a failure of our NAT setup to properly map such addresses). > Where the second section which stops RFC1918 and draft-manning-dsua-03.txt > networks is applied only if we really using NAT ? It's just as important, perhaps more, if we're not using NAT. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message