Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 31 Jul 2000 19:04:39 +0300
From:      Ruslan Ermilov <ru@sunbay.com>
To:        Stephen Montgomery-Smith <stephen@math.missouri.edu>, Gregory Bond <gnb@itga.com.au>
Cc:        net@FreeBSD.org
Subject:   Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd
Message-ID:  <20000731190439.A75240@sunbay.com>
In-Reply-To: <200007262240.PAA88875@freefall.freebsd.org>; from stephen@math.missouri.edu on Wed, Jul 26, 2000 at 03:40:02PM -0700
References:  <200007262240.PAA88875@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii

On Wed, Jul 26, 2000 at 03:40:02PM -0700, Stephen Montgomery-Smith wrote:
>  
>  Or an even better way - sorry for all my follow ups.
> 
[...]

What do you guys think about the attached patch?


-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p

Index: rc.firewall
===================================================================
RCS file: /home/ncvs/src/etc/rc.firewall,v
retrieving revision 1.35
diff -u -p -r1.35 rc.firewall
--- rc.firewall	2000/07/30 19:28:05	1.35
+++ rc.firewall	2000/07/31 16:02:55
@@ -67,18 +67,20 @@ esac
 ${fwcmd} -f flush
 
 ############
-# These rules are required for using natd.  All packets are passed to
+# This rule is required for using natd.  All packets are passed to
 # natd before they encounter your remaining rules.  The firewall rules
 # will then be run again on each packet after translation by natd,
-# minus any divert rules (see natd(8)).
+# starting at the rule number following the divert rule (see natd(8)).
 #
-case ${natd_enable} in
-[Yy][Ee][Ss])
-	if [ -n "${natd_interface}" ]; then
-	      ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-	fi
-	;;
-esac
+nat() {
+	case ${natd_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${natd_interface}" ]; then
+		      ${fwcmd} add divert natd all from any to any via ${natd_interface}
+		fi
+		;;
+	esac
+}
 
 ############
 # If you just configured ipfw in the kernel as a tool to solve network
@@ -101,6 +103,10 @@ ${fwcmd} add 200 deny all from any to 12
 #
 case ${firewall_type} in
 [Oo][Pp][Ee][Nn])
+	# Network Address Translation
+	nat
+
+	# Allow everything
 	${fwcmd} add 65000 pass all from any to any
 	;;
 
@@ -115,6 +121,9 @@ case ${firewall_type} in
 	mask="255.255.255.0"
 	ip="192.0.2.1"
 
+	# Network Address Translation
+	nat
+
 	# Allow any traffic to or from my own net.
 	${fwcmd} add pass all from ${ip} to ${net}:${mask}
 	${fwcmd} add pass all from ${net}:${mask} to ${ip}
@@ -171,26 +180,35 @@ case ${firewall_type} in
 	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
 
 	# Stop RFC1918 nets on the outside interface
-	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
-	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
 	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
-	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 
 	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 	# on the outside interface
-	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
-	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
-	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
 	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
-	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
 	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
-	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
+
+	# Network Address Translation
+	nat
+
+	# Stop RFC1918 nets on the outside interface
+	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
+	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
+
+	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
+	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
+	# on the outside interface
+	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
+	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
+	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
+	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established

--6TrnltStXW4iwmi0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000731190439.A75240>