a couple /etc/rc.firewall questions
Don Lewis
truckman at FreeBSD.org
Sat Aug 22 21:03:49 UTC 2015
The example /etc/rc.firewall has provisions to use either in-kernel NAT
or natd for the open and client firewall types, but the simple filewall
type only has code for natd. Is there any reason that in-kernel NAT
could not be used with the simple firewall type?
After allowing connections to selected TCP ports and then denying all
other incoming TCP setup connections from ${oif}, the simple firewall
code in /etc/rc.firewall then permits all other TCP setup connections:
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
This is potentially undesirable since it allows unrestricted TCP
connections between "me" and the inside network. When I changed this to
${fwcmd} add pass tcp from any to any out via ${oif} setup
I was able to open TCP connections from the firewall box to the outside,
but NATed connections from inside network to the outside were blocked.
If I run "ipfw show", it appears that the TCP setup packets are falling
through to the final implicit deny all rule, but I don't see any obvious
reason.
More information about the freebsd-net
mailing list