Date: Tue, 4 Feb 2003 00:27:30 -0500 From: Mikhail Teterin <mi+kde@aldan.algebra.com> To: net@FreeBSD.org Subject: Does natd(8) really need to see _all_ packets? Message-ID: <200302040027.30781@aldan>
next in thread | raw e-mail | index | archive | help
Hi!
This question bothered me for a while -- most of the traffic on my LAN
is just that -- local. Yet my gw/firewall machine only has one interface
-- with two IP addresses -- private and public on it.
The DSL modem is plugged into the switch just like everything else.
I doubt this is a unique setup.
Recently I had to use NFS quite heavily (another machine's disk was
small and slow -- 100baseTX at full duplex was much quicker. I saw the
noticable CPU percentage eaten by natd -- needlessly, it was not doing
anything to it. This was increasing the latency kernel-user-kernel and I
have decided to improve my setup -- adapted from the "simple" clause of
/etc/rc.firewall.
Here is the result (don't laugh). It seems to work, and when natd is
run with the -verbose flag, it only outputs the real stuff -- it is not
bothered needlessly with a 10.0.1.100<->10.0.1.150 packets, for example.
How can this be improved -- without an additional network card for
pure hardware separation? What am I exposed to by not using separate
cards (assuming the ISP has the decency to block extraneous RFC1918
packets)? I guess, I should explicitly list MAC-addresses on my LAN --
or use IPsec. Any other comments?
Should I put this up as a sample somewhere? Could it be adopted for
/etc/rc.firewall (if [ "$oif" = "$iif ] ....)? Thanks!
-mi
#define IF xl0 /* Interface */
#define IP 10.0.1.100 /* Local IP */
#define LN 10.0.1.0/24 /* Local Network */
#define OIP x.x.x.x /* Public IP */
#define REGULAR 55000
#define NATD 40000
#undef DHCP
#define MULTICAST
#define DENY deny log
#if defined(NATD) && NATD > REGULAR
# error "Need to skip over natd for local network"
#endif
-f flush
# setup_loopback:
add 100 pass all from any to any via lo0
add 200 DENY all from any to 127.0.0.0/8
add 300 DENY all from 127.0.0.0/8 to any
# Stop spoofing
# How?
add skipto REGULAR all from LN to IP in
add skipto REGULAR all from IP to LN out
#define DRAFTMAN 30000
# Make sure let to our LAN through the private network check below:
add skipto DRAFTMAN all from any to LN
# Stop RFC1918 nets on the outside interface
add DENY all from any to 10.0.0.0/8
add DENY all from any to 172.16.0.0/12
add DENY all from any to 192.168.0.0/16
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
add DRAFTMAN DENY all from any to 0.0.0.0/8
#ifndef DHCP
add DENY all from any to 169.254.0.0/16
#endif
add DENY all from any to 192.0.2.0/24
#ifndef MULTICAST
add DENY all from any to 224.0.0.0/4
add DENY all from any to 240.0.0.0/4
#endif
#ifdef NATD
add NATD divert natd all from LN to not LN out
add NATD divert natd all from not LN to OIP in
# add NATD divert natd all from any to any
#endif
# Stop RFC1918 nets on the outside interface
add skipto REGULAR all from LN to not IP
add DENY all from 10.0.0.0/8 to any
add DENY all from 172.16.0.0/12 to any
add DENY all from 192.168.0.0/16 to any
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
add DENY all from 0.0.0.0/8 to any via ${oif}
add DENY all from 169.254.0.0/16 to any via ${oif}
add DENY all from 192.0.2.0/24 to any via ${oif}
add DENY all from 224.0.0.0/4 to any via ${oif}
add DENY all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
add REGULAR pass tcp from any to any established
# Allow IP fragments to pass through
add pass all from any to any frag
# Dangerous, needs narrowing down:
add pass icmp from any to any
# Allow the local net access to the rest of the world:
add pass ip from LN to not IP
add pass ip from OIP to not LN
# Allow setup of incoming email
add pass tcp from LN to IP 25 setup
add pass log tcp from any to OIP auth setup
add pass log tcp from any to any ssh setup
add pass log tcp from LN to IP telnet setup
# Allow ICQ packets back to us:
add allow udp from 205.188.153.98/24 4000 to any
# RPC, NTP, Samba:
add allow udp from LN to IP
# Allow access to our DNS
add pass tcp from any to any 53 setup
add pass udp from any to any 53
add pass udp from any 53 to any
# Allow access to our WWW
add pass tcp from any to IP http,https,8000,8015,8016 setup
# Samba:
add pass log tcp from LN to IP 138,139 setup
# add pass log udp from LN to IP 137,138,139
add allow log tcp from 65.224.0.0/12 to OIP hylafax setup
# Reject&Log all setup of incoming connections from the outside
add deny log tcp from any to any in setup
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
add 60000 deny log ip from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302040027.30781>