From owner-freebsd-net@freebsd.org Mon Aug 24 04:28:11 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A54309C1A8F for ; Mon, 24 Aug 2015 04:28:11 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.allbsd.org", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA835F78; Mon, 24 Aug 2015 04:28:10 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from alph.d.allbsd.org (alph.d.allbsd.org [IPv6:2001:2f0:104:e010:862b:2bff:febc:8956] (may be forged)) (authenticated bits=56) by mail.allbsd.org (8.14.9/8.14.9) with ESMTP id t7O4Ru0B067508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 24 Aug 2015 13:27:58 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.9/8.14.9) with ESMTP id t7O4Rso1090905; Mon, 24 Aug 2015 13:27:56 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Mon, 24 Aug 2015 13:25:31 +0900 (JST) Message-Id: <20150824.132531.1687906630049554750.hrs@allbsd.org> To: truckman@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: Re: a couple /etc/rc.firewall questions From: Hiroki Sato In-Reply-To: <201508240052.t7O0qsFF002623@gw.catspoiler.org> References: <20150823.084453.1715908115913144015.hrs@allbsd.org> <201508240052.t7O0qsFF002623@gw.catspoiler.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Mon_Aug_24_13_25_31_2015_174)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.98.6 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mail.allbsd.org [IPv6:2001:2f0:104:e001::32]); Mon, 24 Aug 2015 13:28:03 +0900 (JST) X-Spam-Status: No, score=-98.0 required=13.0 tests=CONTENT_TYPE_PRESENT, RCVD_IN_AHBL, RCVD_IN_AHBL_PROXY, RCVD_IN_AHBL_SPAM, RDNS_NONE, USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on gatekeeper.allbsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 04:28:11 -0000 ----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Don Lewis wrote in <201508240052.t7O0qsFF002623@gw.catspoiler.org>: tr> > A TCP setup packet coming from a host on the internal LAN to the NAPT tr> > router falls into the last deny-all rule because it does not match if tr> > you added "out via ${oif}" to that rule. Does the following tr> > additional rule work for you? tr> > tr> > ${fwcmd} add pass tcp from any to any out via ${oif} setup tr> > ${fwcmd} add pass tcp from any to not me in via ${iif} setup tr> tr> That works for now, but won't do the correct thing when I subdivide my tr> internal network because it will allow unrestricted connections between tr> the internal subnets. What I'd really like is something like: tr> tr> ${fwcmd} add pass tcp from any to not me,${inet} setup tr> tr> but that isn't a valid rule. I ended up adding a couple of deny tr> rules for me and ${inet} before the wildcard pass allow rule. I had to tr> make sure that some other more specific rules allowing connections tr> between me and the inside were before the new deny rules. Hmmm, I think "table" would be useful to restrict connections between the internal subnets in that case like: ## allow TCP setup going to outside network: ${fwcmd} add pass tcp from any to any out via ${oif} setup ## list of all internal subnets including NAPT router itself: ${fwcmd} table 1 flush ${fwcmd} table 1 add 192.168.1.1/32 # NAPT router ${fwcmd} table 1 add 192.168.3.0/24 ${fwcmd} table 1 add 192.168.4.0/24 ... ## allow TCP setup from the internal subnets to outside network: ${fwcmd} add pass tcp from "table(1)" to not "table(1)" in via ${iif} setup ## ## list of internal subnets which can connect to me: ${fwcmd} table 2 flush ${fwcmd} table 2 add 192.168.3.0/24 ... ## allow TCP setup from some of the internal subnets to me: ${fwcmd} add pass tcp from "table(2)" to me in via ${iif} setup -- Hiroki ----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlXanLsACgkQTyzT2CeTzy1gvwCcCOaEwtSkDugtWHhyhte8K/Hw GG0AnRZ1AlVFuxQIP7KHqlnOexS7c0of =v8xY -----END PGP SIGNATURE----- ----Security_Multipart(Mon_Aug_24_13_25_31_2015_174)----