Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Aug 2015 13:25:31 +0900 (JST)
From:      Hiroki Sato <hrs@FreeBSD.org>
To:        truckman@FreeBSD.org
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: a couple /etc/rc.firewall questions
Message-ID:  <20150824.132531.1687906630049554750.hrs@allbsd.org>
In-Reply-To: <201508240052.t7O0qsFF002623@gw.catspoiler.org>
References:  <20150823.084453.1715908115913144015.hrs@allbsd.org> <201508240052.t7O0qsFF002623@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Don Lewis <truckman@FreeBSD.org> wrote
  in <201508240052.t7O0qsFF002623@gw.catspoiler.org>:

tr> >  A TCP setup packet coming from a host on the internal LAN to the NAPT
tr> >  router falls into the last deny-all rule because it does not match if
tr> >  you added "out via ${oif}" to that rule.  Does the following
tr> >  additional rule work for you?
tr> >
tr> >  ${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> >  ${fwcmd} add pass tcp from any to not me in via ${iif} setup
tr>
tr> That works for now, but won't do the correct thing when I subdivide my
tr> internal network because it will allow unrestricted connections between
tr> the internal subnets.  What I'd really like is something like:
tr>
tr> 	${fwcmd} add pass tcp from any to not me,${inet} setup
tr>
tr> but that isn't a valid rule.  I ended up adding a couple of deny
tr> rules for me and ${inet} before the wildcard pass allow rule.  I had to
tr> make sure that some other more specific rules allowing connections
tr> between me and the inside were before the new deny rules.

 Hmmm, I think "table" would be useful to restrict connections between
 the internal subnets in that case like:

  ## allow TCP setup going to outside network:
  ${fwcmd} add pass tcp from any to any out via ${oif} setup
  ## list of all internal subnets including NAPT router itself:
  ${fwcmd} table 1 flush
  ${fwcmd} table 1 add 192.168.1.1/32	# NAPT router
  ${fwcmd} table 1 add 192.168.3.0/24
  ${fwcmd} table 1 add 192.168.4.0/24
  ...
  ## allow TCP setup from the internal subnets to outside network:
  ${fwcmd} add pass tcp from "table(1)" to not "table(1)" in via ${iif} setup
  ##
  ## list of internal subnets which can connect to me:
  ${fwcmd} table 2 flush
  ${fwcmd} table 2 add 192.168.3.0/24
  ...
  ## allow TCP setup from some of the internal subnets to me:
  ${fwcmd} add pass tcp from "table(2)" to me in via ${iif} setup

-- Hiroki

----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlXanLsACgkQTyzT2CeTzy1gvwCcCOaEwtSkDugtWHhyhte8K/Hw
GG0AnRZ1AlVFuxQIP7KHqlnOexS7c0of
=v8xY
-----END PGP SIGNATURE-----

----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150824.132531.1687906630049554750.hrs>