Date: Fri, 14 Nov 2008 13:48:41 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Julian Elischer <julian@elischer.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org Subject: Re: rc.firewall quick change Message-ID: <20081114133913.K70117@sola.nimnet.asn.au> In-Reply-To: <491CD94F.3020207@elischer.org> References: <491CD94F.3020207@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Nov 2008, Julian Elischer wrote:
> At home I use the following change.
>
>
> basically, instead of doing 8 rules before and after the nat,
> use a table and to 1 rule on each side.
>
>
> any objections?
Only that if people are already using tables for anything, chances are
they've already used table 1 (well, it's the first one I used :) How
about using table 127 for this as a rather less likely prior choice?
Apart from that, this will speed up 'simple' on a path every packet
takes, which has to be a good thing.
While I'm at it, I'll offer my own rc.firewall patch again in the
following message. Perhaps you'd care to review it in this context?
cheers, Ian
> (warning, cut-n-paste patch.. will not apply)
>
> Index: rc.firewall
> ===================================================================
> --- rc.firewall (revision 184948)
> +++ rc.firewall (working copy)
> @@ -231,19 +231,24 @@
> ${fwcmd} add deny all from ${onet} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> - ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
> - ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
> - ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
> + ${fwcmd} table 1 add 10.0.0.0/8
> + ${fwcmd} table 1 add 172.16.0.0/12
> + ${fwcmd} table 1 add 192.168.0.0/16
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
> E)
> # on the outside interface
> - ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
> - ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
> - ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
> - ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
> - ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
> + ${fwcmd} table 1 add 0.0.0.0/8
> + ${fwcmd} table 1 add 169.254.0.0/16
> + ${fwcmd} table 1 add 192.0.2.0/24
> + ${fwcmd} table 1 add 224.0.0.0/4
> + ${fwcmd} table 1 add 240.0.0.0/4
>
> + # Stop the above nets with the table
> +
> + ${fwcmd} add deny all from any to "table(1)" via ${oif}
> +
> +
> # Network Address Translation. This rule is placed here deliberately
> # so that it does not interfere with the surrounding address-checking
> # rules. If for example one of your internal LAN machines had its IP
> @@ -260,19 +265,8 @@
> esac
>
> # Stop RFC1918 nets on the outside interface
> - ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
> - ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
> - ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
> + ${fwcmd} add deny all from "table(1)" to any via ${oif}
>
> - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> - # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
> E)
> - # on the outside interface
> - ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
> - ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
> - ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
> - ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
> - ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
> -
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081114133913.K70117>