Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 Mar 2004 08:33:43 -0800 (PST)
From:      Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com@FreeBSD.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   docs/64807: Handbook section on NAT incomplete
Message-ID:  <200403271633.i2RGXhsW012805@www.freebsd.org>
Resent-Message-ID: <200403271640.i2RGeDZx029719@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         64807
>Category:       docs
>Synopsis:       Handbook section on NAT incomplete
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 27 08:40:13 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Vlad Manilici
>Release:        5.2.1
>Organization:
>Environment:
$ uname -a
FreeBSD <hostname> 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #10: Tue Mar 23 20:32:54 CET 2004 root@<hostname>:/usr/obj/usr/src/sys/<kernel>  i386

>Description:
The Handbook section on NAT:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
does not contain sufficient information to configure NAT on FreeBSD.

More specific:
1. the suggested firewall configuration ("OPEN") does not contain any
   redirection rule. Probably, the intention was "OpenClient".
2. it should be mentioned that NAT does not work with statefull rules.
3. NAT configuration with an "open" firewall is not enough in today's
   Internet. A set of rules that mixes NAT with filtering should be
   explained. Combining the two raises some problems not seen in any
   independently, and should definitely be explained.

Here is a working set of rules for NAT and some meaningful packet
filtering (of course, one could do better). The external interface
is "xl0", and the internal one "rl0". The internal network is
10.0.0/24.

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 divert 8668 ip from any to any via xl0
00500 allow ip from any to any frag
00600 allow ip from 10.0.0.0/24 to any in recv rl0
00700 allow ip from any to 10.0.0.0/24 out xmit rl0
00800 allow ip from any to 10.0.0.0/24 via xl0
00900 allow tcp from me to any setup out xmit xl0
01000 allow tcp from any to me dst-port 22 setup in recv xl0
01100 allow tcp from any to any established via xl0
01200 allow udp from any 53 to any via xl0
01300 allow udp from any to any dst-port 53 via xl0
01400 allow udp from any 68 to any via xl0
01500 allow udp from any to any dst-port 68 via xl0
01600 allow udp from any 123 to any via xl0
01700 allow udp from any to any dst-port 123 via xl0
01800 allow icmp from me to any icmptypes 8 out xmit xl0
01900 allow icmp from any to me icmptypes 0 in recv xl0
02000 allow icmp from any to any icmptypes 3,11 via xl0
02100 deny ip from any to any
65535 deny ip from any to any

Note that:
1. I used the "standard" loopback configuration in rc.firewall.
2. Diverting should be the first rule after loopback setup.
3. Rule 800, although it seems contradictory, is necessary (tested).
   To know why, one should explore how natd packet reinjection works.

>How-To-Repeat:
Give a beginner the Handbook and ask her to install NAT :)).
>Fix:
See above.
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403271633.i2RGXhsW012805>