From owner-freebsd-net@freebsd.org Mon Aug 24 06:06:12 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3976A9C192E for ; Mon, 24 Aug 2015 06:06:12 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id F3D47199A; Mon, 24 Aug 2015 06:06:11 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id t7O5wkEZ003893; Sun, 23 Aug 2015 22:58:50 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201508240558.t7O5wkEZ003893@gw.catspoiler.org> Date: Sun, 23 Aug 2015 22:58:46 -0700 (PDT) From: Don Lewis Subject: Re: a couple /etc/rc.firewall questions To: hrs@FreeBSD.org cc: freebsd-net@FreeBSD.org In-Reply-To: <20150824.132531.1687906630049554750.hrs@allbsd.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 06:06:12 -0000 On 24 Aug, Hiroki Sato wrote: > Don Lewis wrote > in <201508240052.t7O0qsFF002623@gw.catspoiler.org>: > > tr> > A TCP setup packet coming from a host on the internal LAN to the NAPT > tr> > router falls into the last deny-all rule because it does not match if > tr> > you added "out via ${oif}" to that rule. Does the following > tr> > additional rule work for you? > tr> > > tr> > ${fwcmd} add pass tcp from any to any out via ${oif} setup > tr> > ${fwcmd} add pass tcp from any to not me in via ${iif} setup > tr> > tr> That works for now, but won't do the correct thing when I subdivide my > tr> internal network because it will allow unrestricted connections between > tr> the internal subnets. What I'd really like is something like: > tr> > tr> ${fwcmd} add pass tcp from any to not me,${inet} setup > tr> > tr> but that isn't a valid rule. I ended up adding a couple of deny > tr> rules for me and ${inet} before the wildcard pass allow rule. I had to > tr> make sure that some other more specific rules allowing connections > tr> between me and the inside were before the new deny rules. > > Hmmm, I think "table" would be useful to restrict connections between > the internal subnets in that case like: > > ## allow TCP setup going to outside network: > ${fwcmd} add pass tcp from any to any out via ${oif} setup > ## list of all internal subnets including NAPT router itself: > ${fwcmd} table 1 flush > ${fwcmd} table 1 add 192.168.1.1/32 # NAPT router > ${fwcmd} table 1 add 192.168.3.0/24 > ${fwcmd} table 1 add 192.168.4.0/24 > ... > ## allow TCP setup from the internal subnets to outside network: > ${fwcmd} add pass tcp from "table(1)" to not "table(1)" in via ${iif} setup Using the interface name here does not work if the internal subnets are connected via distinct interfaces. Fortunately this isn't necessary if each interface has anti-spoofing rules associated with it, so something like this should work: ${fwcmd} add pass tcp from "table(1)" to not "table(1)" setup I realized a short while ago that we don't need all of the addresses associated with "me" here, so only the outside address of the router needs to be added to the table. Rather than using a table, it would also be possible to just use address lists: oip=192.168.1.1/32 # router external address inet1=192.168.3.0/24 inet2=192.168.3.0/24 inet=${inet1},${inet2} ... ${fwcmd} add pass tcp from ${oip},${inet} to not ${oip},${inet} setup And then ${inet1}, ${inet2}, "me", etc. can be used to add more fine-grained rules for allowing connections between subnets, and between the subnets and the router. Unfortunately inet6 is rather badly named for this scheme. > ## > ## list of internal subnets which can connect to me: > ${fwcmd} table 2 flush > ${fwcmd} table 2 add 192.168.3.0/24 > ... > ## allow TCP setup from some of the internal subnets to me: > ${fwcmd} add pass tcp from "table(2)" to me in via ${iif} setup