SMP and networking under FreeBSD 5.3

Joe josepha48 at
Sat Jun 18 02:31:38 GMT 2005

Okay, back on topic.

I've changed my rules in ipfw, and no longer get the hostname ..

Now natd does not start and it complains 'unable to bind divert
socket, and then cant assign requested address'.  I'm using:

natd_flags="-dynamic -d -log_ipfw_denied -log_denied"

Rules get set, natd does not start.

Interesting thing is that if I restart ipfw at the end of
/etc/rc  ( /etc/rc.d/ipfw start ) natd starts.

Hmm, I'm confused on this one.  


--- Alex Zbyslaw <xfb52 at> wrote:

> Joe wrote:
> >Thanks Alex, 
> >
> >   Below are my rules.  I have removed the IP addresses and
> >replaced with x.x.x.x in most cases.  Also some ports have
> been
> >turned to y's instead of the actual port. 
> >  
> >
> I don't want to go into the details of your firewall; all I
> can offer is 
> general advice for you to apply if you wish.  There are plenty
> resources 
> out there from the various man pages to the handbook. 
> Firewalls can be 
> trickier than they look and NAT makes them significantly more 
> complicated to fathom correctly.  I don't claim to be any kind
> of expert 
> and everything I know started life being written by someone
> else :-)  
> Any mistakes are most likely my own!  I will say that it is
> worth making 
> sure you understand your own firewall. 
> At one point you suggested that you wanted to make your
> firewall script 
> start later so that you had access to your IP address.  I
> think you are 
> on to a loser there because there is not particular time when
> finally gets the IP address.  If your provider is down, it
> might take 
> minutes, hours or even days.  You could keep polling in some
> way to see 
> if you had an IP address and not running your rules script
> until you 
> did, but it would seem better to just write rules which work
> even 
> without the IP address.  Plus, that would also not work if you
> ever had 
> a second external interface (e.g. an old-fashioned modem)
> which needed 
> firewalling irrespective of the status of your ethernet
> interface.
> Although a firewall often need to know the actual addresses of
> hosts 
> other than itself there is, as far as I can figure out, no
> logical 
> reason for it to need to know it's own IP address if you have
> the "me" 
> construct.  (If, like my machine, your firewall is just
> another computer 
> on a small network that is allowed to do exactly the same
> things as any 
> other host on that network, then it needn't even use "me". 
> This makes 
> life much easier because it interferes less with NAT).
> If you have "me" then you can always distinguish between your
> firewall 
> and the rest of your network.
> Take the non-NAT case first:
> allow all from me to any out xmit ext_if
> allow all from any to me in recv ext_if
> These rules could only be triggered by packets addressed
> directly to 
> your firewall.  If you follow it with e.g.
> deny all from any to any out via ext_if
> deny all from any to any in via ext_if
> then you close off your internal network.
> NAT makes things more complicated, because before or after
> NATing 
> (depending on the direction) packets from your network can
> look like 
> they originate on your machine or are destined for it.
> E.g.
> allow all from me to any out xmit ext_if
> must come before the NAT rule because after NAT-ing all your
> internal 
> packets are going out ext_if.
> whereas
> allow all from any to me in recv ext_if
> must come after the NAT rule to be sure that it is actually
> your 
> firewall which is the recipient.
> If all you have is a small network, then there may be no
> reason to 
> differentiate your firewall from any other machine.  In this
> case, it is 
> perfectly sufficient to  write rules based on the ext_if
> alone.
> So I have rules like:
>     # Allow connections initiated from internal network
>     ipfw add allow tcp from any to any out xmit ext_if setup
>      # Allow TCP through if setup succeeded
>     ipfw add pass tcp from any to any via ext_if established
> The only IP addresses in my whole firewall are the limited
> number of 
> hosts which can initiate some kind of connection into my
> network
> e.g.
> ipfw add allow tcp from x.x.x.x to any ssh setup
> (x.x.x.x not because I need to hide the IP but because I can't
> be 
> bothered to find it in the firewall script :-))
> NB that rule says any for recipient because it was written
> before me 
> existed.  But since my network is NATed, it would always be a
> packet 
> header for my firewall and could only get elsewhere if I
> explicitly 
> forwarded it.  There's no mention of the interface because a
> prior rule 
> has already allowed internal connections which would match. 
> Looking at 
> it now, I might get picky and put an interface spec in there
> just to be 
> completist.
> It's often said that there is no security in obscurity, and
> while I 
> don't always agree, I do think that if you actually have to
> hide the IPs 
> in your firewall for it be secure, then it isn't secure. 
> Since my 
> firewall never mentions my IP address, I can publish the whole
> thing and 
> even if it has flaws it won't help since you don't know where
> I am :-)
> A bit long-winded, but I hope it helps,
> --Alex

Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football

More information about the freebsd-questions mailing list