From nobody@FreeBSD.org  Fri Jun 25 16:16:46 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6F096106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jun 2010 16:16:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5E3348FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jun 2010 16:16:46 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5PGGkka098384
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jun 2010 16:16:46 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5PGGkYQ098382;
	Fri, 25 Jun 2010 16:16:46 GMT
	(envelope-from nobody)
Message-Id: <201006251616.o5PGGkYQ098382@www.freebsd.org>
Date: Fri, 25 Jun 2010 16:16:46 GMT
From: David Naylor <naylor.b.david@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] add ipfw_nat support for rc.firewall simple type
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148144
>Category:       conf
>Synopsis:       [patch] add ipfw_nat support for rc.firewall simple type
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    hrs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 25 16:20:03 UTC 2010
>Closed-Date:    
>Last-Modified:  Sat Jan 15 16:16:33 UTC 2011
>Originator:     David Naylor
>Release:        FreeBSD-9
>Organization:
Private
>Environment:
FreeBSD dragon.dg 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Jun 19 19:08:38 SAST 2010     root@dragon.dg:/tmp/home/freebsd9/src/sys/DRAGON  amd64
>Description:
rc.firewall includes support for freebsd_nat_enable but it appears omitted in the "simple" firewall type.  The attached patch adds such support.  

I have used this change for a while to provide support for NAT on my server.  
>How-To-Repeat:
n/a
>Fix:
n/a

Patch attached with submission follows:

--- rc.firewall~	2010-06-25 18:10:42.000000000 +0200
+++ rc.firewall	2010-06-25 18:11:16.000000000 +0200
@@ -318,6 +318,21 @@
 		fi
 		;;
 	esac
+	case ${firewall_nat_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${firewall_nat_interface}" ]; then
+			if echo "${firewall_nat_interface}" | \
+				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
+				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
+			else
+				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
+			fi
+			${fwcmd} nat 123 config log ${firewall_nat_flags}
+			${fwcmd} add nat 123 ip4 from any to any via ${firewall_nat_interface}
+		fi
+		;;
+	esac
+
 
 	# Stop RFC1918 nets on the outside interface
 	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jun 27 04:20:49 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148144 
Responsible-Changed-From-To: freebsd-rc->freebsd-ipfw 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Sun Jun 27 04:41:51 UTC 2010 
Responsible-Changed-Why:  

Not rc.d related, and I think the -ipfw folks are in a better 
position to determine if nat config falls into the "simple" 
category or not. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148144 

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, naylor.b.david@gmail.com
Cc:  
Subject: Re: conf/148144: [patch] add ipfw_nat support for rc.firewall simple
 type
Date: Sun, 27 Jun 2010 18:29:38 +1000

 This is a multi-part message in MIME format.
 --------------050308060205000900020401
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 This patch is certainly needed to make 'simple' usable out of the box.
 
 I'd like to offer an alternative patch, reusing rather than duplicating
 the existing NAT code, making it a function with the same functionality.
 
 This patch also adds allowing outbound pings and essential ICMP to both
 'client' and 'simple' rulesets, another long-term omission.  I'd have
 also included the complementary ipv6-icmp rules from 'workstation' but
 I have no way to test and confirm their correctness.
 
 cheers, Ian
 
 --------------050308060205000900020401
 Content-Type: text/plain;
  name="rc.firewall.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="rc.firewall.patch"
 
 --- rc.firewall.1.69	Sun Jun 27 16:43:48 2010
 +++ rc.firewall	Sun Jun 27 17:48:15 2010
 @@ -142,20 +142,19 @@
  setup_ipv6_mandatory
  
  ############
 -# Network Address Translation.  All packets are passed to natd(8)
 -# before they encounter your remaining rules.  The firewall rules
 -# will then be run again on each packet after translation by natd
 -# starting at the rule number following the divert rule.
 +# Network Address Translation.  All packets are passed to natd(8) or
 +# kernel nat before they encounter your remaining rules.  The firewall
 +# rules will then be run again on each packet after nat translation
 +# starting at the rule number following the divert or nat rule.
  #
 -# For ``simple'' firewall type the divert rule should be put to a
 +# For ``simple'' firewall type the divert or nat rule is included in a
  # different place to not interfere with address-checking rules.
  #
 -case ${firewall_type} in
 -[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
 +setup_nat () {
  	case ${natd_enable} in
  	[Yy][Ee][Ss])
  		if [ -n "${natd_interface}" ]; then
 -			${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
 +			${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface}
  		fi
  		;;
  	esac
 @@ -169,11 +168,11 @@
  				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
  			fi
  			${fwcmd} nat 123 config log ${firewall_nat_flags}
 -			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
 +			${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface}
  		fi
  		;;
  	esac
 -esac
 +}
  
  ############
  # If you just configured ipfw in the kernel as a tool to solve network
 @@ -188,6 +187,7 @@
  #
  case ${firewall_type} in
  [Oo][Pp][Ee][Nn])
 +	setup_nat 50
  	${fwcmd} add 65000 pass all from any to any
  	;;
  
 @@ -205,6 +205,8 @@
  	net="$firewall_client_net"
  	net6="$firewall_client_net_ipv6"
  
 +	setup_nat 50
 +
  	# Allow limited broadcast traffic from my own net.
  	${fwcmd} add pass all from ${net} to 255.255.255.255
  
 @@ -245,6 +247,12 @@
  	# Allow NTP queries out in the world
  	${fwcmd} add pass udp from me to any 123 keep-state
  
 +	# Allow outbound pings
 +	${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state
 +
 +	# Allow essential ICMP: unreachable, source quench, TTL exceeded
 +	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
 +
  	# Everything else is denied by default, unless the
  	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
  	# config file.
 @@ -311,13 +319,7 @@
  	# translated by natd(8) would match the `deny' rule above.  Similarly
  	# an outgoing packet originated from it before being translated would
  	# match the `deny' rule below.
 -	case ${natd_enable} in
 -	[Yy][Ee][Ss])
 -		if [ -n "${natd_interface}" ]; then
 -			${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
 -		fi
 -		;;
 -	esac
 +	setup_nat
  
  	# Stop RFC1918 nets on the outside interface
  	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
 @@ -414,6 +416,12 @@
  
  	# Allow NTP queries out in the world
  	${fwcmd} add pass udp from me to any 123 keep-state
 +
 +	# Allow outbound pings from our net
 +	${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
 +
 +	# Allow essential ICMP: unreachable, source quench, TTL exceeded
 +	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
  
  	# Everything else is denied by default, unless the
  	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 
 --------------050308060205000900020401--
Responsible-Changed-From-To: freebsd-ipfw->hrs 
Responsible-Changed-By: hrs 
Responsible-Changed-When: Sat Jan 15 16:15:57 UTC 2011 
Responsible-Changed-Why:  
I'll take this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148144 
>Unformatted:
