Date: Tue, 11 Jul 2000 20:33:27 -0400 (EDT) From: Colin <cwass99@home.com> To: Doug White <dwhite@resnet.uoregon.edu> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: natd inconsistencies Message-ID: <XFMail.000711203327.cwass99@home.com> In-Reply-To: <Pine.BSF.4.21.0007101647360.23759-100000@resnet.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm still not sure I understand why this works the way it does, but I'm
digging through the code for ipfw and natd, so we'll see where that leads.
In the meantime, I can't believe I'm the only person who has hit this. To
that end, I'm proposing a minor change to rc.firewall (diff at the end of the
message). Specifically, I moved the conditional addition of the divert rule to
after the spoofing and RFC1918 rules. I don't see how this could reduce
security, and it resolves the issue I saw.
Any comments on the advisability of this (good or bad) or can I get
someone to move this in for 4.1? Thanks.
*** rc.firewall.old Tue Jul 11 20:07:12 2000
--- rc.firewall.new Tue Jul 11 20:54:23 2000
***************
*** 65,83 ****
#
${fwcmd} -f flush
- ############
- # These rules are required for using natd. All packets are passed to
- # natd before they encounter your remaining rules. The firewall rules
- # will then be run again on each packet after translation by natd,
- # minus any divert rules (see natd(8)).
- #
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
############
# If you just configured ipfw in the kernel as a tool to solve network
--- 65,70 ----
***************
*** 165,171 ****
imask="255.255.255.240"
iip="192.0.2.17"
! # Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
--- 152,158 ----
imask="255.255.255.240"
iip="192.0.2.17"
! # Stop spoofing. These rules should preceed the divert rule for natd
if used.
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
***************
*** 176,181 ****
--- 163,183 ----
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
+
+
+ ############
+ # These rules are required for using natd. All packets are passed to
+ # natd before they encounter your remaining rules. The firewall rules
+ # will then be run again on each packet after translation by natd,
+ # minus any divert rules (see natd(8)).
+ #
+ case ${natd_enable} in
+ [Yy][Ee][Ss])
+ if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add divert natd all from any to any via
${natd_interface}
+ fi
+ ;;
+ esac
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
On 10-Jul-00 Doug White wrote:
> On Mon, 10 Jul 2000, Colin wrote:
>
>> I found this rule was the problem using ipfw show (a very useful
>> command
>> when you're building a ruleset to see what is blocking you) which is why I
>> moved it. My concern is that it shouldn't block packets from an external
>> source (eg www.FreeBSD.org ;) to 192.168.0.0/24. It should only block
>> packets
>> from that network incoming on the external interface. I understood natd
>> would
>> alter the dest addr on the inbound packet if it was in the table but not
>> touch
>> the source addr. Is this not the case? Or am I missing something obvious
>> in
>> the operation?
>
> Don't forget about the return packets :)
>
> Doug White | FreeBSD: The Power to Serve
> dwhite@resnet.uoregon.edu | www.FreeBSD.org
Cheers,
Colin
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000711203327.cwass99>