Date: Fri, 14 Nov 2008 13:53:28 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: net@freebsd.org, ipfw@freebsd.org Subject: Re: Speaking of rc.firewall .. (fwd) Message-ID: <20081114134925.E70117@sola.nimnet.asn.au>
next in thread | raw e-mail | index | archive | help
---------- Forwarded message ----------
Date: Fri, 17 Oct 2008 05:24:43 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: freebsd-ipfw@freebsd.org
Subject: Re: Speaking of rc.firewall ..
On Thu, 16 Oct 2008, Ian Smith wrote:
> I see that both HEAD and RELENG_7 rc.firewall have been updated for in-
> kernel NAT functionality, but only for the 'open' and 'client' rulesets.
>
> Is there any (functional) reason that the ${firewall_nat_enable} case is
> not also included in the 'simple' rules, where its different placement
> is determined by being preceded and anteceded by anti-spoofing rules?
>
> I'm also slightly bemused by the lack (still) of any rules to allow any
> ICMP (especially necessary icmptypes for MTU discovery) in 'simple'?
To put my patch where my mouth is, assuming that the answer to my first
question is likely 'no', this is against the present RELENG_7 version.
It addresses the second (ICMP) issue for 'client' and 'simple', and I
see no harm in enabling outbound pings for such out-of-the-box setups?
Hope this format's useful (just diff -u), and also that inline is ok.
cheers, Ian
--- rc.firewall.1.52.2.3 Fri Oct 17 01:34:56 2008
+++ rc.firewall Fri Oct 17 04:27:36 2008
@@ -116,15 +116,14 @@
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
-# For ``simple'' firewall type the divert rule should be put to a
+# For ``simple'' firewall type the divert rule is included in a
# different place to not interfere with address-checking rules.
#
-case ${firewall_type} in
-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+setup_nat () {
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
+ ${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
@@ -138,11 +137,11 @@
firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
fi
${fwcmd} nat 123 config log ${firewall_nat_flags}
- ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
+ ${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
-esac
+}
############
# If you just configured ipfw in the kernel as a tool to solve network
@@ -157,6 +156,7 @@
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
+ setup_nat 50
${fwcmd} add 65000 pass all from any to any
;;
@@ -172,6 +172,8 @@
# set this to your local network
net="$firewall_client_net"
+ setup_nat 50
+
# Allow any traffic to or from my own net.
${fwcmd} add pass all from me to ${net}
${fwcmd} add pass all from ${net} to me
@@ -197,6 +199,12 @@
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+ # Allow outbound pings
+ ${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state
+
+ # Allow essential ICMP: unreachable, source quench, TTL exceeded
+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
+
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
@@ -248,13 +256,7 @@
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
+ setup_nat
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
@@ -298,6 +300,12 @@
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+
+ # Allow outbound pings from our net
+ ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
+
+ # Allow essential ICMP: unreachable, source quench, TTL exceeded
+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081114134925.E70117>