Bug 13769
| Summary: | NATD is not compatible with the "simple" firewall as shipped | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Gregory Bond <gnb> | ||||||
| Component: | conf | Assignee: | ru <ru> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Only Me | ||||||||
| Priority: | Normal | ||||||||
| Version: | 3.2-STABLE | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
On Thu, Sep 16, 1999 at 12:45:11PM +1000, Gregory Bond wrote: [...] > # Stop RFC1918 nets on the outside interface > - $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > - $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > - $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > - $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > - $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > - $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif} > + $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif} > + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif} > + $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif} > + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif} > + $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif} First, thank you very much for your problem report! But this modification would make ipfw(8) unnecessary tweak. A more robust (IMO) patch is attached. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age Responsible Changed From-To: freebsd-bugs->ru ru is interested in natd. State Changed From-To: open->feedback Fixed in 5.0-CURRENT, src/etc/rc.firewall,v 1.36. State Changed From-To: feedback->closed Fixed in 4.1-STABLE, src/etc/rc.firewall,v 1.30.2.5. Fixed in 3.5-STABLE, src/etc/rc.firewall,v 1.19.2.5. |
As shipped, the rc.firewall file contains a "simple" firewall config. Presumably, many users will base their configs on this example. This config attempts to trap spoofing of addresses on RFC1918 nets from using the external interface. If NATD is in use and your internal net is an RFC1918 net, then these anti-spoofing rules trap legitimate inbound packets that have been processed by natd. The end result is that you can't actually use natd to connect to outside hosts. The fix is to apply the RFC1918 traps only to incoming or outgoing packets as required. As an aside, both the natd divert rule and the somewhat important 'any to any via lo0' rule both wind up as rule # 100. The attached patch fixes both these problems. How-To-Repeat: Use a 192.168.x.y internal network and NATD. Add a rule like $fwcmd add pass log tcp from ${mel} to any ssh out via ${oif} setup and note that outgoing packets are accepted by this rule and sent to the internet, but incoming packets are trapped by the rule that says $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} and no outgoing ssh is possible.