FreeBSD Bugzilla – Attachment 107362 Details for
Bug 148144
[patch] add ipfw_nat support for rc.firewall simple type
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
rc.firewall.patch
rc.firewall.patch (text/plain), 3.35 KB, created by
Ian Smith
on 2010-06-27 09:29:38 UTC
(
hide
)
Description:
rc.firewall.patch
Filename:
MIME Type:
Creator:
Ian Smith
Created:
2010-06-27 09:29:38 UTC
Size:
3.35 KB
patch
obsolete
>--- rc.firewall.1.69 Sun Jun 27 16:43:48 2010 >+++ rc.firewall Sun Jun 27 17:48:15 2010 >@@ -142,20 +142,19 @@ > setup_ipv6_mandatory > > ############ >-# Network Address Translation. All packets are passed to natd(8) >-# before they encounter your remaining rules. The firewall rules >-# will then be run again on each packet after translation by natd >-# starting at the rule number following the divert rule. >+# Network Address Translation. All packets are passed to natd(8) or >+# kernel nat before they encounter your remaining rules. The firewall >+# rules will then be run again on each packet after nat translation >+# starting at the rule number following the divert or nat rule. > # >-# For ``simple'' firewall type the divert rule should be put to a >+# For ``simple'' firewall type the divert or nat rule is included in a > # different place to not interfere with address-checking rules. > # >-case ${firewall_type} in >-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) >+setup_nat () { > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then >- ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} >+ ${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface} > fi > ;; > esac >@@ -169,11 +168,11 @@ > firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" > fi > ${fwcmd} nat 123 config log ${firewall_nat_flags} >- ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} >+ ${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface} > fi > ;; > esac >-esac >+} > > ############ > # If you just configured ipfw in the kernel as a tool to solve network >@@ -188,6 +187,7 @@ > # > case ${firewall_type} in > [Oo][Pp][Ee][Nn]) >+ setup_nat 50 > ${fwcmd} add 65000 pass all from any to any > ;; > >@@ -205,6 +205,8 @@ > net="$firewall_client_net" > net6="$firewall_client_net_ipv6" > >+ setup_nat 50 >+ > # Allow limited broadcast traffic from my own net. > ${fwcmd} add pass all from ${net} to 255.255.255.255 > >@@ -245,6 +247,12 @@ > # Allow NTP queries out in the world > ${fwcmd} add pass udp from me to any 123 keep-state > >+ # Allow outbound pings >+ ${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state >+ >+ # Allow essential ICMP: unreachable, source quench, TTL exceeded >+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 >+ > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. >@@ -311,13 +319,7 @@ > # translated by natd(8) would match the `deny' rule above. Similarly > # an outgoing packet originated from it before being translated would > # match the `deny' rule below. >- case ${natd_enable} in >- [Yy][Ee][Ss]) >- if [ -n "${natd_interface}" ]; then >- ${fwcmd} add divert natd ip4 from any to any via ${natd_interface} >- fi >- ;; >- esac >+ setup_nat > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} >@@ -414,6 +416,12 @@ > > # Allow NTP queries out in the world > ${fwcmd} add pass udp from me to any 123 keep-state >+ >+ # Allow outbound pings from our net >+ ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state >+ >+ # Allow essential ICMP: unreachable, source quench, TTL exceeded >+ ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 148144
:
107361
| 107362