firewall_nat_enable in rc.firewall
Pavel Timofeev
timp87 at gmail.com
Fri Jan 27 12:00:06 UTC 2012
Hi all!
I have a small correction for /etc/rc.firewall
My conf
[hostname]# grep firewall /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="re0"
firewall_nat_flags="same_ports reset"
[hostname]# ipfw show
00050 5175447 4519882589 nat 123 ip4 from any to any via re0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 1 76 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6
icmp6types 2,135,136
65000 174 31790 allow ip from any to any
65535 0 0 deny ip from any to any
It seems to me very strange that first rule is nat rule.
Because the following rules won't be passed and they looks useless.
What do you think about this?
# diff -u /etc/rc.firewall /etc/rc.firewall.new
--- /etc/rc.firewall 2012-01-03 11:57:38.000000000 +0400
+++ /etc/rc.firewall.new 2012-01-27 11:53:40.000000000 +0400
@@ -169,7 +169,7 @@
firewall_nat_flags="if
${firewall_nat_interface} ${firewall_nat_flags}"
fi
${fwcmd} nat 123 config log ${firewall_nat_flags}
- ${fwcmd} add 50 nat 123 ip4 from any to any
via ${firewall_nat_interface}
+ ${fwcmd} add 64900 nat 123 ip4 from any to any
via ${firewall_nat_interface}
fi
;;
esac
There are some situations when I want use
firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and
ports.
If nat rule were 64900, I'd had more numbers for my own rules.
I hope you are understand my english =)
More information about the freebsd-ipfw
mailing list