natd and open firewall problem

Sat Feb 26 14:24:06 PST 2005

dillon wrote @ Sat, 26 Feb 2005 12:50:01 -0800 (PST):
>     I agree... the pass-all should use a fixed, high numbered rule, like
>     65000.   The rule should be added near the beginning of the script,
>     like it was before, just as a safety precaution in case the script dies
>     somewhere.  I think those are the only real problems.  I'm not rabid 
>     about placement, lets just get it fixed and committed :-)

Hmm, since we have [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ==> do nothing
and *) ==> execute a user skript, i fail to see a good place
near the begining, unless we doublicate the case ... in :/

Besides if we prefer an open firewall to a closed one,
i'd like to change the knob IPFIREWALL_DEFAULT_TO_ACCEPT
to IPFIREWALL_DEFAULT_TO_DENY and make it accept by default,
so one can sanely load the module.

65000 patch below.

Andy

Index: rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.3
diff -u -p -r1.3 rc.firewall

--- rc.firewall	22 Oct 2004 20:26:03 -0000	1.3
+++ rc.firewall	26 Feb 2005 22:14:53 -0000
@@ -93,6 +93,12 @@ if [ -n "$1" ]; then
     esac
 fi
 
+divert_nat() {
+    if [ -n "${natd_interface}" ]; then
+        ${fwcmd} add divert natd all from any to any via ${natd_interface}
+    fi
+}
+
 allow_loopback() {
     ${fwcmd} add pass all from any to any via lo0
     ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
@@ -150,7 +156,7 @@ deny_not_routed_nets()
     nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
         169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
     for net in ${nets} ; do
-        ${fwcmd} add deny ${log} all from any to $net
+        ${fwcmd} add deny ${log} all from $net to any
     done
 }
 
@@ -158,32 +164,26 @@ deny_rest() {
     ${fwcmd} add 65000 deny ${log} all from any to any
 }
 
+allow_rest() {
+    ${fwcmd} add 65000 pass all from any to any
+}
 
 
 ${fwcmd} -f flush
 
 case ${firewall_type} in
-    [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
-    case ${natd_enable} in
-        [Yy][Ee][Ss])
-        if [ -n "${natd_interface}" ]; then
-            ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-        fi
-        ;;
-    esac
-esac
-
-case ${firewall_type} in
     [Oo][Pp][Ee][Nn])
         allow_loopback
         deny_spoof
-        ${fwcmd} add 1 pass all from any to any
+        divert_nat
+        allow_rest
     ;;
 
     # historical names
     [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
         allow_loopback
         deny_spoof
+        divert_nat
         allow_trusted_nets ${firewall_trusted_nets}
         allow_trusted_interfaces ${firewall_trusted_interfaces}
         allow_connections



