Date: Sun, 27 Jun 2010 08:30:03 GMT From: Ian Smith <smithi@nimnet.asn.au> To: freebsd-ipfw@FreeBSD.org Subject: Re: conf/148144: [patch] add ipfw_nat support for rc.firewall simple type Message-ID: <201006270830.o5R8U3fq079207@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/148144; it has been noted by GNATS.
From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, naylor.b.david@gmail.com
Cc:
Subject: Re: conf/148144: [patch] add ipfw_nat support for rc.firewall simple
type
Date: Sun, 27 Jun 2010 18:29:38 +1000
This is a multi-part message in MIME format.
--------------050308060205000900020401
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This patch is certainly needed to make 'simple' usable out of the box.
I'd like to offer an alternative patch, reusing rather than duplicating
the existing NAT code, making it a function with the same functionality.
This patch also adds allowing outbound pings and essential ICMP to both
'client' and 'simple' rulesets, another long-term omission. I'd have
also included the complementary ipv6-icmp rules from 'workstation' but
I have no way to test and confirm their correctness.
cheers, Ian
--------------050308060205000900020401
Content-Type: text/plain;
name="rc.firewall.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="rc.firewall.patch"
--- rc.firewall.1.69 Sun Jun 27 16:43:48 2010
+++ rc.firewall Sun Jun 27 17:48:15 2010
@@ -142,20 +142,19 @@
setup_ipv6_mandatory
############
-# Network Address Translation. All packets are passed to natd(8)
-# before they encounter your remaining rules. The firewall rules
-# will then be run again on each packet after translation by natd
-# starting at the rule number following the divert rule.
+# Network Address Translation. All packets are passed to natd(8) or
+# kernel nat before they encounter your remaining rules. The firewall
+# rules will then be run again on each packet after nat translation
+# starting at the rule number following the divert or nat rule.
#
-# For ``simple'' firewall type the divert rule should be put to a
+# For ``simple'' firewall type the divert or nat rule is included in a
# different place to not interfere with address-checking rules.
#
-case ${firewall_type} in
-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+setup_nat () {
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
+ ${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
@@ -169,11 +168,11 @@
firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
fi
${fwcmd} nat 123 config log ${firewall_nat_flags}
- ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
+ ${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
-esac
+}
############
# If you just configured ipfw in the kernel as a tool to solve network
@@ -188,6 +187,7 @@
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
+ setup_nat 50
${fwcmd} add 65000 pass all from any to any
;;
@@ -205,6 +205,8 @@
net="$firewall_client_net"
net6="$firewall_client_net_ipv6"
+ setup_nat 50
+
# Allow limited broadcast traffic from my own net.
${fwcmd} add pass all from ${net} to 255.255.255.255
@@ -245,6 +247,12 @@
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+ # Allow outbound pings
+ ${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state
+
+ # Allow essential ICMP: unreachable, source quench, TTL exceeded
+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
+
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
@@ -311,13 +319,7 @@
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
- fi
- ;;
- esac
+ setup_nat
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
@@ -414,6 +416,12 @@
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+
+ # Allow outbound pings from our net
+ ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
+
+ # Allow essential ICMP: unreachable, source quench, TTL exceeded
+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
--------------050308060205000900020401--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006270830.o5R8U3fq079207>