DragonFly BSD
DragonFly users List (threaded) for 2005-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: natd and open firewall problem


From: Andreas Hauser <andy@xxxxxxxxxxxxxxx>
Date: 26 Feb 2005 09:03:05 -0000

justin wrote @ Fri, 25 Feb 2005 23:12:30 -0500 (EST):

> Looking at /etc/rc.firewall, it appears that having a firewall type of
> "open" set in your rc.conf will give you rule 1 'pass all from any to
> any', while it's rule 50 that gets natd working.  Nothing makes it past
> rule 1.

Yo that probably ain't that good.
It's not the only problem there is in there though.
That's why one can override it.

How about this:

Index: etc/rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.3
diff -u -p -r1.3 rc.firewall
--- etc/rc.firewall	22 Oct 2004 20:26:03 -0000	1.3
+++ etc/rc.firewall	26 Feb 2005 09:00:02 -0000
@@ -93,6 +93,12 @@ if [ -n "$1" ]; then
     esac
 fi
 
+divert_nat() {
+    if [ -n "${natd_interface}" ]; then
+        ${fwcmd} add divert natd all from any to any via ${natd_interface}
+    fi
+}
+
 allow_loopback() {
     ${fwcmd} add pass all from any to any via lo0
     ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
@@ -150,7 +156,7 @@ deny_not_routed_nets()
     nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
         169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
     for net in ${nets} ; do
-        ${fwcmd} add deny ${log} all from any to $net
+        ${fwcmd} add deny ${log} all from $net to any
     done
 }
 
@@ -163,20 +169,10 @@ deny_rest() {
 ${fwcmd} -f flush
 
 case ${firewall_type} in
-    [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
-    case ${natd_enable} in
-        [Yy][Ee][Ss])
-        if [ -n "${natd_interface}" ]; then
-            ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-        fi
-        ;;
-    esac
-esac
-
-case ${firewall_type} in
     [Oo][Pp][Ee][Nn])
         allow_loopback
         deny_spoof
+        divert_nat
         ${fwcmd} add 1 pass all from any to any
     ;;
 
@@ -184,6 +180,7 @@ case ${firewall_type} in
     [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
         allow_loopback
         deny_spoof
+        divert_nat
         allow_trusted_nets ${firewall_trusted_nets}
         allow_trusted_interfaces ${firewall_trusted_interfaces}
         allow_connections



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]