Re: question about /etc/rc.firewall

Tue, 07 Jan 2003 04:06:12 -0800 

Hi Serg,

On Mon, 6 Jan 2003, questions-digest V5 #1826 wrote:

 > Date: Mon, 6 Jan 2003 16:07:20 +0300
 > From: Serg Repalov <[EMAIL PROTECTED]>
 > Subject: question about /etc/rc.firewall
 > 
 > Hi.
 > 
 >   Can anyone make clear for me one thing. In file /etc/rc.firewall
 > we have two sections which stops RFC1918 and draft-manning-dsua-03.txt
 > networks:
 >   # Stop RFC1918 nets on the outside interface
 >   [ ... ]
 > 
 >   # Network Address Translation.  This rule is placed here deliberately
 >   [ ... ]
 >   case ${natd_enable} in
 >   [Yy][Ee][Ss])
 >       if [ -n "${natd_interface}" ]; then
 >          ${fwcmd} add divert natd all from any to any via ${natd_interface}
 >       fi
 >       ;;
 >   esac
 > 
 >   # Stop RFC1918 nets on the outside interface
 >   [ ... ]
 > 
 > If we don't using NAT then we have _two_ sections of _same_ rules,

No, they're not the same rules - though their comments could a little
more explicit.  The below is quoted from a FreeBSD 4.5-RELEASE
/etc/rc.firewall, but I expect it's still much the same in 4.7. 

First section:

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
        [etc]

Then the NAT rules section you quoted, then:

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
        [etc]

The first section stops any incoming traffic from outside TO any RFC1918
addresess, and the second stops any traffic FROM our RFC1918 addresses
reaching the outside, ie it prevents us from spoofing these addresses
(or handles a failure of our NAT setup to properly map such addresses).

 > Where the second section which stops RFC1918 and draft-manning-dsua-03.txt
 > networks is applied only if we really using NAT ?

It's just as important, perhaps more, if we're not using NAT.

Cheers, Ian


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to