Date: Thu, 11 Nov 2004 05:25:23 -0800 From: Sean McNeil <sean@mcneil.com> To: current@freebsd.org Subject: natd broken for days Message-ID: <1100179523.21180.8.camel@server.mcneil.com>
next in thread | raw e-mail | index | archive | help
--=-GAbuw+Q4mYgtXQDWxyh1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable It has been reported that both amd64 and i386 architectures will panic in natd by jumping to address 0. There has been no discussion since the reports, however, and I was wondering if anyone is looking into it. Should I file a bug report? I have nothing special, just turned on some options in the kernel and some things in rc.conf... config file: options BRIDGE # bridge ethernet adapters options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT /etc/rc.conf: firewall_enable=3D"YES" firewall_type=3D"/etc/fw/rc.firewall.rules" firewall_quiet=3D"NO" natd_enable=3D"YES" natd_flags=3D"-f /etc/fw/natd.conf" natd_interface=3D"dc0" /etc/fw/rc.firewall.rules: #set and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow all from any to any via lo0 add 00110 deny all from any to 127.0.0.0/8 add 00120 deny all from any to any not verrevpath in add 00301 allow all from me to 192.168.1.0/24 via dc0 add 00302 deny all from any to 10.0.0.0/8 via dc0 add 00303 deny all from any to 172.16.0.0/12 via dc0 add 00304 deny all from any to 192.168.0.0/16 via dc0 # check if incoming packets belong to a natted session, allow through if ye= s add 01000 divert natd all from any to me in via dc0 add 01001 check-state add 03001 allow all from 192.168.1.0/24 to me via dc0 add 03002 deny all from 10.0.0.0/8 to any via dc0 add 03003 deny all from 172.16.0.0/12 to any via dc0 add 03004 deny all from 192.168.0.0/16 to any via dc0 add 03005 deny all from 66.159.66.56/29 to any via dc0 # Allow TCP through if setup succeeded add 04000 pass tcp from any to any established # Allow IP fragments to pass through add 04010 pass all from any to any frag # allow all traffic from the local net to the router add 04100 allow all from 192.168.10.0/24 to me in via re0 # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 all from 192.168.10.0/24 to any in via re0 keep-stat= e # allow all outgoing traffic from the router add 05000 allow all from me to any out via re0 add 05010 allow all from me to any out keep-state add 60000 skipto 62000 all from any to any # this is the NAT rule. Only outgoing packets from the local net will come = here. # First, nat them, then pass them on (again, you may choose to be more rest= rictive) add 61000 divert natd all from 192.168.10.0/24 to any out via dc0 # this is a good packet add 62000 allow all from any to any /etc/fw/natd.conf: unregistered_only use_sockets # dyamically open fw for ftp, irc punch_fw 2000:50 --=-GAbuw+Q4mYgtXQDWxyh1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBk2hDyQsGN30uGE4RApCuAJ4rq+BeYmKblexNryP2A8hzTWZlBwCdG1WS eH7/HT3xrJFZrEvY9rXV5PM= =jiCy -----END PGP SIGNATURE----- --=-GAbuw+Q4mYgtXQDWxyh1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1100179523.21180.8.camel>