From gnb@itga.com.au Wed Sep 15 19:45:21 1999
Return-Path: <gnb@itga.com.au>
Received: from ns.itga.com.au (ns.itga.com.au [192.83.119.129])
	by hub.freebsd.org (Postfix) with ESMTP id 6764914D4D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Sep 1999 19:45:15 -0700 (PDT)
	(envelope-from gnb@itga.com.au)
Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20])
	by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id MAA01693
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 16 Sep 1999 12:45:12 +1000 (EST)
Received: from hellcat.itga.com.au (hellcat.itga.com.au [192.168.71.163])
	by lightning.itga.com.au (8.9.1a/8.9.1) with ESMTP id MAA06838;
	Thu, 16 Sep 1999 12:45:12 +1000 (EST)
Received: (from gnb@localhost)
	by hellcat.itga.com.au (8.9.3/8.9.3) id MAA15823;
	Thu, 16 Sep 1999 12:45:11 +1000 (EST)
	(envelope-from gnb@itga.com.au)
Message-Id: <199909160245.MAA15823@hellcat.itga.com.au>
Date: Thu, 16 Sep 1999 12:45:11 +1000 (EST)
From: Gregory Bond <gnb@itga.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] NATD & rc.firewall "simple" not compatible
X-Send-Pr-Version: 3.2

>Number:         13769
>Category:       conf
>Synopsis:       NATD is not compatible with the "simple" firewall as shipped
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 15 19:50:00 PDT 1999
>Closed-Date:    Tue Aug 8 01:50:43 PDT 2000
>Last-Modified:  Tue Aug 08 01:57:24 PDT 2000
>Originator:     Gregory Bond <gnb@itga.com.au>
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
ITG Australia Ltd
>Environment:

FreeBSD hellcat.itga.com.au 3.2-STABLE FreeBSD 3.2-STABLE #1: Mon Aug  2 14:37:40 EST 1999     toor@hellcat.itga.com.au:/usr/src/sys/compile/Hellcat  i386

>Description:

As shipped, the rc.firewall file contains a "simple" firewall
config.  Presumably, many users will base their configs on this
example.  This config attempts to trap spoofing of addresses on
RFC1918 nets from using the external interface.  If NATD is in use
and your internal net is an RFC1918 net, then these anti-spoofing
rules trap legitimate inbound packets that have been processed by
natd. The end result is that you can't actually use natd to connect
to outside hosts.  The fix is to apply the RFC1918 traps only to
incoming or outgoing packets as required.

As an aside, both the natd divert rule and the somewhat important
'any to any via lo0' rule both wind up as rule # 100.

The attached patch fixes both these problems.

>How-To-Repeat:

Use a 192.168.x.y internal network and NATD.  Add a rule like

	$fwcmd add pass log tcp from ${mel} to any ssh out via ${oif} setup

and note that outgoing packets are accepted by this rule and sent to the
internet, but incoming packets are trapped by the rule that says 

	$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

and no outgoing ssh is possible.

>Fix:
	
--- etc/rc.firewall.orig	Thu Sep 16 12:31:07 1999
+++ etc/rc.firewall	Thu Sep 16 12:32:45 1999
@@ -79,7 +79,7 @@
 
 ############
 # Only in rare cases do you want to change these rules
-$fwcmd add 100 pass all from any to any via lo0
+$fwcmd add 150 pass all from any to any via lo0
 $fwcmd add 200 deny all from any to 127.0.0.0/8
 
 
@@ -151,12 +151,12 @@
     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
 
     # Stop RFC1918 nets on the outside interface
-    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
-    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
-    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
-    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
+    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
+    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
+    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
+    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
 
     # Allow TCP through if setup succeeded
     $fwcmd add pass tcp from any to any established

>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@ucb.crimea.ua>
To: Gregory Bond <gnb@itga.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/13769: [PATCH] NATD & rc.firewall "simple" not compatible
Date: Thu, 16 Sep 1999 13:49:29 +0300

 --PmA2V3Z32TCmWXqI
 Content-Type: text/plain; charset=us-ascii
 
 On Thu, Sep 16, 1999 at 12:45:11PM +1000, Gregory Bond wrote:
 [...]
 >      # Stop RFC1918 nets on the outside interface
 > -    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
 > -    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
 > -    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
 > -    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
 > -    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
 > -    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
 > +    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
 > +    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
 > +    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
 > +    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
 > +    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
 > +    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
 
 First, thank you very much for your problem report!
 
 But this modification would make ipfw(8) unnecessary tweak.
 A more robust (IMO) patch is attached.
 
 
 -- 
 Ruslan Ermilov		Sysadmin and DBA of the
 ru@ucb.crimea.ua	United Commercial Bank,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.247.647	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
 --PmA2V3Z32TCmWXqI
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename=p
 
 Index: rc.firewall
 ===================================================================
 RCS file: /usr/FreeBSD-CVS/src/etc/rc.firewall,v
 retrieving revision 1.19.2.2
 diff -u -r1.19.2.2 rc.firewall
 --- rc.firewall	1999/08/29 14:18:55	1.19.2.2
 +++ rc.firewall	1999/09/16 10:23:24
 @@ -66,7 +66,10 @@
  # will then be run again on each packet after translation by natd,
  # minus any divert rules (see natd(8)).
  if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
 -        $fwcmd add divert natd all from any to any via ${natd_interface}
 +        $fwcmd add 50 divert natd all from any to any via ${natd_interface}
 +	_natd_enabled="YES"
 +else
 +	_natd_enabled=""
  fi
  
  ############
 @@ -152,11 +155,11 @@
  
      # Stop RFC1918 nets on the outside interface
      $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
 -    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
 +    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 ${_natd_enabled:+out} via ${oif}
      $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
 -    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
 +    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 ${_natd_enabled:+out} via ${oif}
      $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
 -    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
 +    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 ${_natd_enabled:+out} via ${oif}
  
      # Allow TCP through if setup succeeded
      $fwcmd add pass tcp from any to any established
 
 --PmA2V3Z32TCmWXqI--
 
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: nra 
Responsible-Changed-When: Thu Jul 20 20:02:31 PDT 2000 
Responsible-Changed-Why:  
ru is interested in natd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 
State-Changed-From-To: open->feedback 
State-Changed-By: ru 
State-Changed-When: Fri Aug 4 07:02:50 PDT 2000 
State-Changed-Why:  
Fixed in 5.0-CURRENT, src/etc/rc.firewall,v 1.36. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Tue Aug 8 01:50:43 PDT 2000 
State-Changed-Why:  
Fixed in 4.1-STABLE, src/etc/rc.firewall,v 1.30.2.5. 
Fixed in 3.5-STABLE, src/etc/rc.firewall,v 1.19.2.5. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 
>Unformatted:
