Date: Wed, 26 Jul 2000 15:10:06 -0700 (PDT) From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd Message-ID: <200007262210.PAA86270@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/20197; it has been noted by GNATS. From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-gnats-submit@FreeBSD.org, stephen@math.missouri.edu Cc: Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd Date: Wed, 26 Jul 2000 17:04:25 -0500 This is a multi-part message in MIME format. --------------5EB7029B0FF4405F3EB04E5B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sorry, what I have doesn't work - use this instead: -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu --------------5EB7029B0FF4405F3EB04E5B Content-Type: text/plain; charset=us-ascii; name="ddd" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ddd" --- /usr/etc-chg/4.0158/etc/rc.firewall Sat Jul 15 19:31:58 2000 +++ rc.firewall-default Wed Jul 26 17:01:10 2000 @@ -170,6 +170,17 @@ ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + # Change the outgoing natd rule to here, otherwise the RFC1918 + # rules might kill valid packets made by natd + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} delete 50 + ${fwcmd} add divert natd all from any to any out via ${natd_interface} + fi + ;; + esac + # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} @@ -177,6 +188,16 @@ ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + + # Change the incoming natd rule to here, otherwise the RFC1918 + # rules might kill valid packets made by natd + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} add divert natd all from any to any in via ${natd_interface} + fi + ;; + esac # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} --------------5EB7029B0FF4405F3EB04E5B-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007262210.PAA86270>