From owner-freebsd-ipfw@FreeBSD.ORG  Fri Nov 14 03:11:14 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61F301065678;
	Fri, 14 Nov 2008 03:11:14 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227])
	by mx1.freebsd.org (Postfix) with ESMTP id A5E388FC1C;
	Fri, 14 Nov 2008 03:11:13 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAE2mfhe051406;
	Fri, 14 Nov 2008 13:48:41 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Fri, 14 Nov 2008 13:48:41 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Julian Elischer <julian@elischer.org>
In-Reply-To: <491CD94F.3020207@elischer.org>
Message-ID: <20081114133913.K70117@sola.nimnet.asn.au>
References: <491CD94F.3020207@elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org
Subject: Re: rc.firewall quick change
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2008 03:11:14 -0000

On Thu, 13 Nov 2008, Julian Elischer wrote:
 > At home I use the following change.
 > 
 > 
 > basically, instead of doing 8 rules before and after the nat,
 > use a table and to 1 rule on each side.
 > 
 > 
 > any objections?

Only that if people are already using tables for anything, chances are 
they've already used table 1 (well, it's the first one I used :)  How 
about using table 127 for this as a rather less likely prior choice?

Apart from that, this will speed up 'simple' on a path every packet 
takes, which has to be a good thing.

While I'm at it, I'll offer my own rc.firewall patch again in the 
following message.  Perhaps you'd care to review it in this context?

cheers, Ian

 > (warning, cut-n-paste patch.. will not apply)
 > 
 > Index: rc.firewall
 > ===================================================================
 > --- rc.firewall (revision 184948)
 > +++ rc.firewall (working copy)
 > @@ -231,19 +231,24 @@
 >         ${fwcmd} add deny all from ${onet} to any in via ${iif}
 > 
 >         # Stop RFC1918 nets on the outside interface
 > -       ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
 > -       ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
 > -       ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 > +       ${fwcmd} table 1 add 10.0.0.0/8
 > +       ${fwcmd} table 1 add 172.16.0.0/12
 > +       ${fwcmd} table 1 add 192.168.0.0/16
 > 
 >         # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
 > RESERVED-1,
 >         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
 > E)
 >         # on the outside interface
 > -       ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
 > -       ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
 > -       ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
 > -       ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
 > -       ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
 > +       ${fwcmd} table 1 add 0.0.0.0/8
 > +       ${fwcmd} table 1 add 169.254.0.0/16
 > +       ${fwcmd} table 1 add 192.0.2.0/24
 > +       ${fwcmd} table 1 add 224.0.0.0/4
 > +       ${fwcmd} table 1 add 240.0.0.0/4
 > 
 > +        # Stop the above nets with the table
 > +
 > +       ${fwcmd} add deny all from any to "table(1)" via ${oif}
 > +
 > +
 >         # Network Address Translation.  This rule is placed here deliberately
 >         # so that it does not interfere with the surrounding address-checking
 >         # rules.  If for example one of your internal LAN machines had its IP
 > @@ -260,19 +265,8 @@
 >         esac
 > 
 >         # Stop RFC1918 nets on the outside interface
 > -       ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
 > -       ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
 > -       ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
 > +       ${fwcmd} add deny all from "table(1)" to any via ${oif}
 > 
 > -       # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
 > RESERVED-1,
 > -       # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
 > E)
 > -       # on the outside interface
 > -       ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 > -       ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
 > -       ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
 > -       ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
 > -       ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 > -
 >         # Allow TCP through if setup succeeded
 >         ${fwcmd} add pass tcp from any to any established
 > 
 > _______________________________________________
 > freebsd-ipfw@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
 > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
 >