From owner-freebsd-net Sun May 7 7:59:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id D642D37BAE3 for ; Sun, 7 May 2000 07:59:41 -0700 (PDT) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by juice.shallow.net (8.9.3/8.9.3) with ESMTP id RAA19044; Sun, 7 May 2000 17:00:20 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Sun, 7 May 2000 17:00:20 +0200 (CEST) From: Joshua Goodall To: Jan Koum Cc: freebsd-net@FreeBSD.ORG Subject: Re: possible /etc/rc.firewall bug? In-Reply-To: <20000506162221.B45391@ethereal.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a "known problem". Since the implications compromise natd security, it should have been fixed. However, it isn't in the latest 4.0-STABLE. There is a potential fix that may work for you. See http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 but beware the warnings about making your firewall "weak". The resulting firewall ruleset should provide a basis for a stronger configuration. -- Joshua Goodall IP Systems Engineer - InterXion - http://www.InterXion.com/ On Sat, 6 May 2000, Jan Koum wrote: > > i just noticed something. if you setup natd and ipfw, you end up with: > > # ipfw -a l > 00100 677369 166815520 divert 8668 ip from any to any via ed0 > 00100 397358 45078874 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 65000 1709011 373169093 allow ip from any to any > 65535 0 0 deny ip from any to any > > two rules with number 100 -- i suggest moving divert rule to 50 by changing > > ${fwcmd} add divert natd all from any to any via ${natd_interface} > > to: > > ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} > > > of course another way to do this is to remove #'s from following rules: > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > thanks, > > -- yan > > > p.s. - this is 4.0 box with rc.firewall: > # $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message