Date: Sat, 20 Apr 2002 17:35:31 -0700 (PDT) From: Earl Killian <earl@killian.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/37301: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp Message-ID: <200204210035.g3L0ZVE01160@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 37301
>Category: misc
>Synopsis: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Apr 20 17:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Earl Killian
>Release: 4.5
>Organization:
>Environment:
FreeBSD gate.killian.com 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Mon Apr 15 20:21:44 PDT 2002 root@:/usr/src/sys/compile/GATE i386
>Description:
I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and I was not able to talk to my gateway machine
from the hosts on the inside. Looking at the rules below, I see only
one rule that is specific to iif, and that is just to prevent the
inside from pretending to be outside. Most of the rules are via oif,
or to oip and so don't apply to an inside machine talking to iip via
iif. If I eliminate those rules, I'm left with:
Rules that apply to inet:imask talking to iip via iif:
deny all from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
deny all from ${onet}:${omask} to any in via ${iif}
pass tcp from any to any established
pass all from any to any frag
pass tcp from any to any setup
So what about icmp and udp? Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside? Shouldn't the
following be added after the stop-spoofing rules or something?:
# Allow internal hosts complete access
allow all from ${inet}:${imask} to ${iip} in recv ${iif}
allow all from ${iip} to ${inet}:${imask} out xmit ${iif}
I also notice there are no rules for icmp at all. Shouldn't there be a
# Allow pings out in the world
pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?
>How-To-Repeat:
Configure with firewall_type="simple". ping to the gateway from
an inside machine and get no response. ntp and dns also do not work
if you give the inside IP address of the gateway as the server for
these protocols.
>Fix:
See description.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204210035.g3L0ZVE01160>