a couple /etc/rc.firewall questions
Hiroki Sato
hrs at FreeBSD.org
Sat Aug 22 23:45:29 UTC 2015
Don Lewis <truckman at FreeBSD.org> wrote
in <201508222103.t7ML3gAx000794 at gw.catspoiler.org>:
tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
tr> or natd for the open and client firewall types, but the simple filewall
tr> type only has code for natd. Is there any reason that in-kernel NAT
tr> could not be used with the simple firewall type?
I think there is no particular reason. Simple rule was just not updated.
tr> After allowing connections to selected TCP ports and then denying all
tr> other incoming TCP setup connections from ${oif}, the simple firewall
tr> code in /etc/rc.firewall then permits all other TCP setup connections:
tr> # Allow setup of any other TCP connection
tr> ${fwcmd} add pass tcp from any to any setup
tr> This is potentially undesirable since it allows unrestricted TCP
tr> connections between "me" and the inside network. When I changed this to
tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> I was able to open TCP connections from the firewall box to the outside,
tr> but NATed connections from inside network to the outside were blocked.
tr> If I run "ipfw show", it appears that the TCP setup packets are falling
tr> through to the final implicit deny all rule, but I don't see any obvious
tr> reason.
A TCP setup packet coming from a host on the internal LAN to the NAPT
router falls into the last deny-all rule because it does not match if
you added "out via ${oif}" to that rule. Does the following
additional rule work for you?
${fwcmd} add pass tcp from any to any out via ${oif} setup
${fwcmd} add pass tcp from any to not me in via ${iif} setup
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150823/5108ea72/attachment.bin>
More information about the freebsd-net
mailing list