a couple /etc/rc.firewall questions

[Hiroki Sato]

Don Lewis <truckman at FreeBSD.org> wrote
  in <201508222103.t7ML3gAx000794 at gw.catspoiler.org>:

tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
tr> or natd for the open and client firewall types, but the simple filewall
tr> type only has code for natd.  Is there any reason that in-kernel NAT
tr> could not be used with the simple firewall type?

 I think there is no particular reason.  Simple rule was just not updated.

tr> After allowing connections to selected TCP ports and then denying all
tr> other incoming TCP setup connections from ${oif}, the simple firewall
tr> code in /etc/rc.firewall then permits all other TCP setup connections:
tr> 	# Allow setup of any other TCP connection
tr> 	${fwcmd} add pass tcp from any to any setup
tr> This is potentially undesirable since it allows unrestricted TCP
tr> connections between "me" and the inside network.  When I changed this to
tr> 	${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> I was able to open TCP connections from the firewall box to the outside,
tr> but NATed connections from inside network to the outside were blocked.
tr> If I run "ipfw show", it appears that the TCP setup packets are falling
tr> through to the final implicit deny all rule, but I don't see any obvious
tr> reason.

 A TCP setup packet coming from a host on the internal LAN to the NAPT
 router falls into the last deny-all rule because it does not match if
 you added "out via ${oif}" to that rule.  Does the following
 additional rule work for you?

 ${fwcmd} add pass tcp from any to any out via ${oif} setup
 ${fwcmd} add pass tcp from any to not me in via ${iif} setup

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150823/5108ea72/attachment.bin>