natd and open firewall problem

justin at shiningsilence.com justin at shiningsilence.com
Sat Feb 26 06:08:35 PST 2005


> Yo that probably ain't that good.
> It's not the only problem there is in there though.
> That's why one can override it.

>          ${fwcmd} add 1 pass all from any to any

I'm not terribly familiar with the topic, but doesn't ipfw stop matching
after reaching this rule?  i.e. since all packets are passed, and they
encounter this rule first, they won't see any other rule - including the
NAT divert rule.

A "pass all any to any" rule shouldn't be needed, as the instructions
mention a 'IPFIREWALL_DEFAULT_TO_ACCEPT' kernel option that does the same
thing, except as the last rule, not the first.  My machine does have that.

Looking at the FreeBSD cvsweb, and our rc.firewall before version 1.3, it
does just that in an open situation:

case ${firewall_type} in
[Oo][Pp][Ee][Nn])
	setup_loopback
	${fwcmd} add 65000 pass all from any to any
	;;

Andreas - it looks like your last changeset is where the "add 1 ..." rule
came from.  Why did it go from rule 65000 to 1?  Any objection to me
changing it back?






More information about the Users mailing list