Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Aug 2005 15:16:05 +0000
From:      thursday <thursday@sdf.lonestar.org>
To:        freebsd-questions@freebsd.org
Subject:   ifpw weirdness
Message-ID:  <20050823151605.GA29756@SDF.LONESTAR.ORG>
next in thread | raw e-mail | index | archive | help 
Greetings,

I have  a machine running FreeBSD5.3-RELEASE. I built it in December or so. 

Girlfriend accidentally hit the power button on it a couple of months ago, and it rebooted, and everything came back fine. Last night, stupid me stepped on the power strip, and when it rebooted, it would no longer do nat, or even pass traffic on the internal interface at all. 

When I flush the firewall rules (/sbin/ipfw -f flush && && /sbin/ipfw add divert natd all from any to any via fxp0 && /sbin/ipfw add pass all from any to any) and allow everything, natd works perfectly happily. 

The firewall configuration has not changed since maybe January; I've made no changes to it since the last unplanned reboot, when it all came up fine. 

I'm kind of stumped, and slightly terrified, at what may be the cause. 

Below are bits from my rc.firewall, rc.conf, and natd.conf. I use the "simple" firewall included by default. I've removed my ip address to assuage my paranoia. Anyway, the contents of these files has not changed in months. 

Any thoughts would be deeply appreciated.


rc.firewall:

[Ss][Ii][Mm][Pp][Ll][Ee])

        # set these to your outside interface network and netmask and ip
        oif="fxp0"
        onet="xx.xx.xx.xx"
        omask="255.255.255.0"
        oip="xx.xx.xx.xx"

        # set these to your inside interface network and netmask and ip
        iif="rl0"
        inet="192.168.1.0"
        imask="255.255.255.0"
        iip="192.168.1.1"

        setup_loopback

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

	case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any via ${natd_interface}
                fi
                ;;
        esac

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

        # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established

        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        # Allow setup of incoming email
        ${fwcmd} add pass tcp from any to ${oip} 25 setup

        # Allow access to our WWW
        ${fwcmd} add pass tcp from any to ${oip} 80 setup

 # SSH
        ${fwcmd} add pass tcp from any to ${oip} 22 setup

        # Reject&Log all setup of incoming connections from the outside
        ${fwcmd} add deny log tcp from any to any in via ${oif} setup

        # Allow setup of any other TCP connection
        ${fwcmd} add pass tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 53 keep-state

        # Allow NTP queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 123 keep-state

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.
        #${fwcmd} add deny all from any to ${oip}

        ;;


--
rc.conf:
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
natd_flags="-log_denied no -f /etc/natd.conf"
natd_interface="fxp0"
natd_program="/sbin/natd"

--
natd.conf:
log no
log_denied no
deny_incoming no
use_sockets yes
same_ports yes
verbose no
interface fxp0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050823151605.GA29756>