ipfilter nat w/IPFILTER_DEFAULT_BLOCK kernel

[Norberto Meijome]

On Sat, 30 Sep 2006 20:30:28 -0400
Matt Herzog <msh at blisses.org> wrote:

> As the Subject states, I'm trying to get a FreeBSD 6.1 on sparc64 to be a
> firewall/gateway/nat machine using a IPFILTER_DEFAULT_BLOCK kernel.
> (hme0 is the external NIC. hme1 is the internal NIC.)
> 
> If I remove the line: 
> 
> pass in quick on hme0 all
> 
> none of the machines inside the NAT can reach the Internet although I can
> still ssh into the firewall/gateway machine from inside the NAT. 
> i.e. NAT breaks without "pass in quick on hme0 all"

I haven't read all your config...but i think the problem you are having is that
you are either blocking ALL traffic to hme0 (by removing the 'allow all'), or
allowing all (including external traffic! ) with 'pass in quick on hme0 all'.

You need to be more specific about what you allow in and out. Read the
following and you'll get a better understanding of how it works.

Howto : http://www.obfuscation.org/ipf/ipf-howto.pdf : 

http://www.nwo.net/ipf/ipf-howto.html (html format of the pdf)

> 
> "pass in quick on hme0 all" pretty obviously defeats the purpose of the 
> IPFILTER_DEFAULT_BLOCK kernel so I'm trying to figure out a rule set that
> will work with NAT. 
well, yes, you are not supposed to open your firewall completely - just enough
to allow you to do whatever you want :)

Good luck,
B
_________________________
{Beto|Norberto|Numard} Meijome

Sysadmins can't be sued for malpractice, but surgeons don't have to
deal with patients who install new versions of their own innards.

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.