rc.firewall 'simple' question

Rishi Chopra rchopra at cal.berkeley.edu
Sun Jan 18 17:01:38 PST 2004 

Forgive the stupid question, but why are the 'rfc1918' and 'draft 
manning' sections repeated in the default rc.firewall file?  Does this 
have something to do with the natd statement in between them?  I 
understand the rules are processed (added) sequentially, so am I missing 
something?


         # Stop RFC1918 nets on the outside interface
         ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
         ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
         ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

         # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes 
RESERVED-1,
         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and 
class E)
         # on the outside interface
         ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
         ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
         ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
         ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
         ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

         # Network Address Translation.  This rule is placed here 
deliberately
         # so that it does not interfere with the surrounding 
address-checking
         # rules.  If for example one of your internal LAN machines had 
its IP
         # address set to 192.0.2.1 then an incoming packet for it after 
being
         # translated by natd(8) would match the `deny' rule above. 
Similarly
         # an outgoing packet originated from it before being translated 
would
         # match the `deny' rule below.
         case ${natd_enable} in
         [Yy][Ee][Ss])
                 if [ -n "${natd_interface}" ]; then
                         ${fwcmd} add divert natd all from any to any 
via ${natd_interface}
                 fi
                 ;;
         esac

         # Stop RFC1918 nets on the outside interface
         ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
         ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
         ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

         # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes 
RESERVED-1,
         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and 
class E)
         # on the outside interface
         ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
         ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
         ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
         ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
         ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}


-- 
Rishi Chopra
http://www.ocf.berkeley.edu/~rchopra

More information about the freebsd-questions mailing list