From owner-freebsd-doc@FreeBSD.ORG Sat Mar 27 08:40:14 2004 Return-Path: Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DAE616A4D3 for ; Sat, 27 Mar 2004 08:40:14 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A60E443D5F for ; Sat, 27 Mar 2004 08:40:13 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2RGeDbv029720 for ; Sat, 27 Mar 2004 08:40:13 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2RGeDZx029719; Sat, 27 Mar 2004 08:40:13 -0800 (PST) (envelope-from gnats) Resent-Date: Sat, 27 Mar 2004 08:40:13 -0800 (PST) Resent-Message-Id: <200403271640.i2RGeDZx029719@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-doc@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vlad Manilici Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 506A616A4CE for ; Sat, 27 Mar 2004 08:33:43 -0800 (PST) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FB7E43D2D for ; Sat, 27 Mar 2004 08:33:43 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i2RGXh72012806 for ; Sat, 27 Mar 2004 08:33:43 -0800 (PST) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.10/8.12.10/Submit) id i2RGXhsW012805; Sat, 27 Mar 2004 08:33:43 -0800 (PST) (envelope-from nobody) Message-Id: <200403271633.i2RGXhsW012805@www.freebsd.org> Date: Sat, 27 Mar 2004 08:33:43 -0800 (PST) From: Vlad Manilici To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: docs/64807: Handbook section on NAT incomplete X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2004 16:40:14 -0000 >Number: 64807 >Category: docs >Synopsis: Handbook section on NAT incomplete >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 08:40:13 PST 2004 >Closed-Date: >Last-Modified: >Originator: Vlad Manilici >Release: 5.2.1 >Organization: >Environment: $ uname -a FreeBSD 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #10: Tue Mar 23 20:32:54 CET 2004 root@:/usr/obj/usr/src/sys/ i386 >Description: The Handbook section on NAT: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html does not contain sufficient information to configure NAT on FreeBSD. More specific: 1. the suggested firewall configuration ("OPEN") does not contain any redirection rule. Probably, the intention was "OpenClient". 2. it should be mentioned that NAT does not work with statefull rules. 3. NAT configuration with an "open" firewall is not enough in today's Internet. A set of rules that mixes NAT with filtering should be explained. Combining the two raises some problems not seen in any independently, and should definitely be explained. Here is a working set of rules for NAT and some meaningful packet filtering (of course, one could do better). The external interface is "xl0", and the internal one "rl0". The internal network is 10.0.0/24. # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 divert 8668 ip from any to any via xl0 00500 allow ip from any to any frag 00600 allow ip from 10.0.0.0/24 to any in recv rl0 00700 allow ip from any to 10.0.0.0/24 out xmit rl0 00800 allow ip from any to 10.0.0.0/24 via xl0 00900 allow tcp from me to any setup out xmit xl0 01000 allow tcp from any to me dst-port 22 setup in recv xl0 01100 allow tcp from any to any established via xl0 01200 allow udp from any 53 to any via xl0 01300 allow udp from any to any dst-port 53 via xl0 01400 allow udp from any 68 to any via xl0 01500 allow udp from any to any dst-port 68 via xl0 01600 allow udp from any 123 to any via xl0 01700 allow udp from any to any dst-port 123 via xl0 01800 allow icmp from me to any icmptypes 8 out xmit xl0 01900 allow icmp from any to me icmptypes 0 in recv xl0 02000 allow icmp from any to any icmptypes 3,11 via xl0 02100 deny ip from any to any 65535 deny ip from any to any Note that: 1. I used the "standard" loopback configuration in rc.firewall. 2. Diverting should be the first rule after loopback setup. 3. Rule 800, although it seems contradictory, is necessary (tested). To know why, one should explore how natd packet reinjection works. >How-To-Repeat: Give a beginner the Handbook and ask her to install NAT :)). >Fix: See above. >Release-Note: >Audit-Trail: >Unformatted: