natd and open firewall problem

Andreas Hauser andy at splashground.de
Sat Feb 26 07:11:54 PST 2005 

justin wrote @ Sat, 26 Feb 2005 09:08:53 -0500 (EST):

> >          ${fwcmd} add 1 pass all from any to any

Yes, remove the 1.

> case ${firewall_type} in
> [Oo][Pp][Ee][Nn])
> 	setup_loopback
> 	${fwcmd} add 65000 pass all from any to any
> 	;;
> 
> Andreas - it looks like your last changeset is where the "add 1 ..." rule
> came from.  Why did it go from rule 65000 to 1?  Any objection to me
> changing it back?

My rationale was that if something goes wrong, e.g. some
other script also adding rules, it will still stay open.
Also if you later add rules you can figure them out entirely
and then acivate them by removing rule 1.
Obviously i have not spent much time thinking about divert
rules, that was also why it wasn't a function of it's own ...

How about the attached patch ?

Andy

Index: rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.3
diff -u -p -r1.3 rc.firewall
--- rc.firewall	22 Oct 2004 20:26:03 -0000	1.3
+++ rc.firewall	26 Feb 2005 15:09:11 -0000
@@ -93,6 +93,12 @@ if [ -n "$1" ]; then
     esac
 fi
 
+divert_nat() {
+    if [ -n "${natd_interface}" ]; then
+        ${fwcmd} add divert natd all from any to any via ${natd_interface}
+    fi
+}
+
 allow_loopback() {
     ${fwcmd} add pass all from any to any via lo0
     ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
@@ -150,7 +156,7 @@ deny_not_routed_nets()
     nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
         169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
     for net in ${nets} ; do
-        ${fwcmd} add deny ${log} all from any to $net
+        ${fwcmd} add deny ${log} all from $net to any
     done
 }
 
@@ -163,27 +169,18 @@ deny_rest() {
 ${fwcmd} -f flush
 
 case ${firewall_type} in
-    [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
-    case ${natd_enable} in
-        [Yy][Ee][Ss])
-        if [ -n "${natd_interface}" ]; then
-            ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-        fi
-        ;;
-    esac
-esac
-
-case ${firewall_type} in
     [Oo][Pp][Ee][Nn])
         allow_loopback
         deny_spoof
-        ${fwcmd} add 1 pass all from any to any
+        divert_nat
+        ${fwcmd} add pass all from any to any
     ;;
 
     # historical names
     [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
         allow_loopback
         deny_spoof
+        divert_nat
         allow_trusted_nets ${firewall_trusted_nets}
         allow_trusted_interfaces ${firewall_trusted_interfaces}
         allow_connections

More information about the Users mailing list