Date: Thu, 16 Sep 1999 04:10:02 -0700 (PDT) From: Ruslan Ermilov <ru@ucb.crimea.ua> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/13769: [PATCH] NATD & rc.firewall "simple" not compatible Message-ID: <199909161110.EAA20865@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/13769; it has been noted by GNATS.
From: Ruslan Ermilov <ru@ucb.crimea.ua>
To: Gregory Bond <gnb@itga.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/13769: [PATCH] NATD & rc.firewall "simple" not compatible
Date: Thu, 16 Sep 1999 13:49:29 +0300
--PmA2V3Z32TCmWXqI
Content-Type: text/plain; charset=us-ascii
On Thu, Sep 16, 1999 at 12:45:11PM +1000, Gregory Bond wrote:
[...]
> # Stop RFC1918 nets on the outside interface
> - $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> - $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> - $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> - $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> - $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> - $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
> + $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
> + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
> + $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
> + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
> + $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
First, thank you very much for your problem report!
But this modification would make ipfw(8) unnecessary tweak.
A more robust (IMO) patch is attached.
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank,
ru@FreeBSD.org FreeBSD committer,
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
--PmA2V3Z32TCmWXqI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Index: rc.firewall
===================================================================
RCS file: /usr/FreeBSD-CVS/src/etc/rc.firewall,v
retrieving revision 1.19.2.2
diff -u -r1.19.2.2 rc.firewall
--- rc.firewall 1999/08/29 14:18:55 1.19.2.2
+++ rc.firewall 1999/09/16 10:23:24
@@ -66,7 +66,10 @@
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
- $fwcmd add divert natd all from any to any via ${natd_interface}
+ $fwcmd add 50 divert natd all from any to any via ${natd_interface}
+ _natd_enabled="YES"
+else
+ _natd_enabled=""
fi
############
@@ -152,11 +155,11 @@
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
- $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
+ $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 ${_natd_enabled:+out} via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
- $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
+ $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 ${_natd_enabled:+out} via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
- $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
+ $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 ${_natd_enabled:+out} via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
--PmA2V3Z32TCmWXqI--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909161110.EAA20865>