Bug 64807

Summary: Handbook section on NAT incomplete
Product: Documentation Reporter: Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com>
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Vlad Manilici freebsd_committer freebsd_triage 2004-03-27 16:40:13 UTC 
The Handbook section on NAT:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
does not contain sufficient information to configure NAT on FreeBSD.

More specific:
1. the suggested firewall configuration ("OPEN") does not contain any
   redirection rule. Probably, the intention was "OpenClient".
2. it should be mentioned that NAT does not work with statefull rules.
3. NAT configuration with an "open" firewall is not enough in today's
   Internet. A set of rules that mixes NAT with filtering should be
   explained. Combining the two raises some problems not seen in any
   independently, and should definitely be explained.

Here is a working set of rules for NAT and some meaningful packet
filtering (of course, one could do better). The external interface
is "xl0", and the internal one "rl0". The internal network is
10.0.0/24.

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 divert 8668 ip from any to any via xl0
00500 allow ip from any to any frag
00600 allow ip from 10.0.0.0/24 to any in recv rl0
00700 allow ip from any to 10.0.0.0/24 out xmit rl0
00800 allow ip from any to 10.0.0.0/24 via xl0
00900 allow tcp from me to any setup out xmit xl0
01000 allow tcp from any to me dst-port 22 setup in recv xl0
01100 allow tcp from any to any established via xl0
01200 allow udp from any 53 to any via xl0
01300 allow udp from any to any dst-port 53 via xl0
01400 allow udp from any 68 to any via xl0
01500 allow udp from any to any dst-port 68 via xl0
01600 allow udp from any 123 to any via xl0
01700 allow udp from any to any dst-port 123 via xl0
01800 allow icmp from me to any icmptypes 8 out xmit xl0
01900 allow icmp from any to me icmptypes 0 in recv xl0
02000 allow icmp from any to any icmptypes 3,11 via xl0
02100 deny ip from any to any
65535 deny ip from any to any

Note that:
1. I used the "standard" loopback configuration in rc.firewall.
2. Diverting should be the first rule after loopback setup.
3. Rule 800, although it seems contradictory, is necessary (tested).
   To know why, one should explore how natd packet reinjection works.

Fix: 

See above.
How-To-Repeat: Give a beginner the Handbook and ask her to install NAT :)).
Comment 1 Marc Fonvieille freebsd_committer freebsd_triage 2004-03-27 17:38:46 UTC 
On Sat, Mar 27, 2004 at 08:33:43AM -0800, Vlad Manilici wrote:
> 
> >Description:
> The Handbook section on NAT:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
> does not contain sufficient information to configure NAT on FreeBSD.
> 
> More specific:
> 1. the suggested firewall configuration ("OPEN") does not contain any
>    redirection rule. Probably, the intention was "OpenClient".
> 2. it should be mentioned that NAT does not work with statefull rules.
> 3. NAT configuration with an "open" firewall is not enough in today's
>    Internet. A set of rules that mixes NAT with filtering should be
>    explained. Combining the two raises some problems not seen in any
>    independently, and should definitely be explained.
> 
> Here is a working set of rules for NAT and some meaningful packet
> filtering (of course, one could do better). The external interface
> is "xl0", and the internal one "rl0". The internal network is
> 10.0.0/24.
>
[...]

You are talking about packet filtering not only NAT, the aim of the
mentioned section is to only cover NAT (natd(8)) not the configuration
of a firewall (it's why the OPEN type was used).
All examples are done with that point of view.

If someone wants to add packet filtering the read of 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
and /etc/rc.firewall will be enough since rc.firewall contains good
example.  (Changing the OPEN type to SIMPLE or CLIENT does the trick)

Marc
Comment 2 Remko Lodder freebsd_committer freebsd_triage 2007-02-19 13:13:41 UTC 
State Changed
From-To: open->closed

Given Marc's reply and no additional feedback, I will close the PR.