natd broken for days

Sean McNeil sean at mcneil.com
Thu Nov 11 05:25:31 PST 2004 

It has been reported that both amd64 and i386 architectures will panic
in natd by jumping to address 0.  There has been no discussion since the
reports, however, and I was wondering if anyone is looking into it.
Should I file a bug report?

I have nothing special, just turned on some options in the kernel and
some things in rc.conf...

config file:

options         BRIDGE                  # bridge ethernet adapters

options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPDIVERT

/etc/rc.conf:

firewall_enable="YES"
firewall_type="/etc/fw/rc.firewall.rules"
firewall_quiet="NO"

natd_enable="YES"
natd_flags="-f /etc/fw/natd.conf"
natd_interface="dc0"

/etc/fw/rc.firewall.rules:

#set and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow all from any to any via lo0
add 00110 deny all from any to 127.0.0.0/8
add 00120 deny all from any to any not verrevpath in

add 00301 allow all from me to 192.168.1.0/24 via dc0
add 00302 deny all from any to 10.0.0.0/8 via dc0
add 00303 deny all from any to 172.16.0.0/12 via dc0
add 00304 deny all from any to 192.168.0.0/16 via dc0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd all from any to me in via dc0
add 01001 check-state

add 03001 allow all from 192.168.1.0/24 to me via dc0
add 03002 deny all from 10.0.0.0/8 to any via dc0
add 03003 deny all from 172.16.0.0/12 to any via dc0
add 03004 deny all from 192.168.0.0/16 to any via dc0
add 03005 deny all from 66.159.66.56/29 to any via dc0

# Allow TCP through if setup succeeded
add 04000 pass tcp from any to any established

# Allow IP fragments to pass through
add 04010 pass all from any to any frag

# allow all traffic from the local net to the router
add 04100 allow all from 192.168.10.0/24 to me in via re0

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 all from 192.168.10.0/24 to any in via re0 keep-state

# allow all outgoing traffic from the router
add 05000 allow all from me to any out via re0
add 05010 allow all from me to any out keep-state
add 60000 skipto 62000 all from any to any

# this is the NAT rule. Only outgoing packets from the local net will come here.
# First, nat them, then pass them on (again, you may choose to be more restrictive)
add 61000 divert natd all from 192.168.10.0/24 to any out via dc0

# this is a good packet
add 62000 allow all from any to any

/etc/fw/natd.conf:

unregistered_only
use_sockets
# dyamically open fw for ftp, irc
punch_fw 2000:50

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20041111/f1f9382b/attachment.bin

More information about the freebsd-current mailing list