natd and open firewall problem
Andreas Hauser
andy at splashground.de
Sat Feb 26 07:11:54 PST 2005
justin wrote @ Sat, 26 Feb 2005 09:08:53 -0500 (EST):
> > ${fwcmd} add 1 pass all from any to any
Yes, remove the 1.
> case ${firewall_type} in
> [Oo][Pp][Ee][Nn])
> setup_loopback
> ${fwcmd} add 65000 pass all from any to any
> ;;
>
> Andreas - it looks like your last changeset is where the "add 1 ..." rule
> came from. Why did it go from rule 65000 to 1? Any objection to me
> changing it back?
My rationale was that if something goes wrong, e.g. some
other script also adding rules, it will still stay open.
Also if you later add rules you can figure them out entirely
and then acivate them by removing rule 1.
Obviously i have not spent much time thinking about divert
rules, that was also why it wasn't a function of it's own ...
How about the attached patch ?
Andy
Index: rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.3
diff -u -p -r1.3 rc.firewall
--- rc.firewall 22 Oct 2004 20:26:03 -0000 1.3
+++ rc.firewall 26 Feb 2005 15:09:11 -0000
@@ -93,6 +93,12 @@ if [ -n "$1" ]; then
esac
fi
+divert_nat() {
+ if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add divert natd all from any to any via ${natd_interface}
+ fi
+}
+
allow_loopback() {
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny ${log} all from any to 127.0.0.0/8
@@ -150,7 +156,7 @@ deny_not_routed_nets()
nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
for net in ${nets} ; do
- ${fwcmd} add deny ${log} all from any to $net
+ ${fwcmd} add deny ${log} all from $net to any
done
}
@@ -163,27 +169,18 @@ deny_rest() {
${fwcmd} -f flush
case ${firewall_type} in
- [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
-esac
-
-case ${firewall_type} in
[Oo][Pp][Ee][Nn])
allow_loopback
deny_spoof
- ${fwcmd} add 1 pass all from any to any
+ divert_nat
+ ${fwcmd} add pass all from any to any
;;
# historical names
[Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
allow_loopback
deny_spoof
+ divert_nat
allow_trusted_nets ${firewall_trusted_nets}
allow_trusted_interfaces ${firewall_trusted_interfaces}
allow_connections
More information about the Users
mailing list