View | Details | Raw Unified | Return to bug 148144 | Differences between
and this patch

Collapse All | Expand All

(-)rc.firewall (-17 / +25 lines)
Lines 142-161 Link Here
142
setup_ipv6_mandatory
142
setup_ipv6_mandatory
143
143
144
############
144
############
145
# Network Address Translation.  All packets are passed to natd(8)
145
# Network Address Translation.  All packets are passed to natd(8) or
146
# before they encounter your remaining rules.  The firewall rules
146
# kernel nat before they encounter your remaining rules.  The firewall
147
# will then be run again on each packet after translation by natd
147
# rules will then be run again on each packet after nat translation
148
# starting at the rule number following the divert rule.
148
# starting at the rule number following the divert or nat rule.
149
#
149
#
150
# For ``simple'' firewall type the divert rule should be put to a
150
# For ``simple'' firewall type the divert or nat rule is included in a
151
# different place to not interfere with address-checking rules.
151
# different place to not interfere with address-checking rules.
152
#
152
#
153
case ${firewall_type} in
153
setup_nat () {
154
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
155
	case ${natd_enable} in
154
	case ${natd_enable} in
156
	[Yy][Ee][Ss])
155
	[Yy][Ee][Ss])
157
		if [ -n "${natd_interface}" ]; then
156
		if [ -n "${natd_interface}" ]; then
158
			${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
157
			${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface}
159
		fi
158
		fi
160
		;;
159
		;;
161
	esac
160
	esac
Lines 169-179 Link Here
169
				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
168
				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
170
			fi
169
			fi
171
			${fwcmd} nat 123 config log ${firewall_nat_flags}
170
			${fwcmd} nat 123 config log ${firewall_nat_flags}
172
			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
171
			${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface}
173
		fi
172
		fi
174
		;;
173
		;;
175
	esac
174
	esac
176
esac
175
}
177
176
178
############
177
############
179
# If you just configured ipfw in the kernel as a tool to solve network
178
# If you just configured ipfw in the kernel as a tool to solve network
Lines 188-193 Link Here
188
#
187
#
189
case ${firewall_type} in
188
case ${firewall_type} in
190
[Oo][Pp][Ee][Nn])
189
[Oo][Pp][Ee][Nn])
190
	setup_nat 50
191
	${fwcmd} add 65000 pass all from any to any
191
	${fwcmd} add 65000 pass all from any to any
192
	;;
192
	;;
193
193
Lines 205-210 Link Here
205
	net="$firewall_client_net"
205
	net="$firewall_client_net"
206
	net6="$firewall_client_net_ipv6"
206
	net6="$firewall_client_net_ipv6"
207
207
208
	setup_nat 50
209
208
	# Allow limited broadcast traffic from my own net.
210
	# Allow limited broadcast traffic from my own net.
209
	${fwcmd} add pass all from ${net} to 255.255.255.255
211
	${fwcmd} add pass all from ${net} to 255.255.255.255
210
212
Lines 245-250 Link Here
245
	# Allow NTP queries out in the world
247
	# Allow NTP queries out in the world
246
	${fwcmd} add pass udp from me to any 123 keep-state
248
	${fwcmd} add pass udp from me to any 123 keep-state
247
249
250
	# Allow outbound pings
251
	${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state
252
253
	# Allow essential ICMP: unreachable, source quench, TTL exceeded
254
	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
255
248
	# Everything else is denied by default, unless the
256
	# Everything else is denied by default, unless the
249
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
257
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
250
	# config file.
258
	# config file.
Lines 311-323 Link Here
311
	# translated by natd(8) would match the `deny' rule above.  Similarly
319
	# translated by natd(8) would match the `deny' rule above.  Similarly
312
	# an outgoing packet originated from it before being translated would
320
	# an outgoing packet originated from it before being translated would
313
	# match the `deny' rule below.
321
	# match the `deny' rule below.
314
	case ${natd_enable} in
322
	setup_nat
315
	[Yy][Ee][Ss])
316
		if [ -n "${natd_interface}" ]; then
317
			${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
318
		fi
319
		;;
320
	esac
321
323
322
	# Stop RFC1918 nets on the outside interface
324
	# Stop RFC1918 nets on the outside interface
323
	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
325
	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
Lines 414-419 Link Here
414
416
415
	# Allow NTP queries out in the world
417
	# Allow NTP queries out in the world
416
	${fwcmd} add pass udp from me to any 123 keep-state
418
	${fwcmd} add pass udp from me to any 123 keep-state
419
420
	# Allow outbound pings from our net
421
	${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
422
423
	# Allow essential ICMP: unreachable, source quench, TTL exceeded
424
	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
417
425
418
	# Everything else is denied by default, unless the
426
	# Everything else is denied by default, unless the
419
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
427
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

Return to bug 148144