From stephen@cauchy.math.missouri.edu  Wed Jul 26 10:33:07 2000
Return-Path: <stephen@cauchy.math.missouri.edu>
Received: from cauchy.math.missouri.edu (cauchy.math.missouri.edu [128.206.49.166])
	by hub.freebsd.org (Postfix) with ESMTP id E1AE437BF06
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 Jul 2000 10:33:05 -0700 (PDT)
	(envelope-from stephen@cauchy.math.missouri.edu)
Received: (from stephen@localhost)
	by cauchy.math.missouri.edu (8.9.3/8.9.1) id MAA35440;
	Wed, 26 Jul 2000 12:33:04 -0500 (CDT)
Message-Id: <200007261733.MAA35440@cauchy.math.missouri.edu>
Date: Wed, 26 Jul 2000 12:33:04 -0500 (CDT)
From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu>
Reply-To: stephen@math.missouri.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: rc.firewall with firewall_type=simple doesn't work with natd
X-Send-Pr-Version: 3.2

>Number:         20197
>Category:       conf
>Synopsis:       rc.firewall with firewall_type=simple doesn't work with natd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 10:40:01 PDT 2000
>Closed-Date:    Fri Aug 4 07:05:21 PDT 2000
>Last-Modified:  Fri Aug 04 07:06:42 PDT 2000
>Originator:     Stephen Montgomery-Smith
>Release:        FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:

Using the default /etc/rc.firewall with firewall_type=simple ;
using natd ;
Having an internal network that uses any of the unregistered ip numbers
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

>Description:

Incoming packets that get translated by natd to be on the internal
network are killed by the rules following the line
# Stop RFC1918 nets on the outside interface

>How-To-Repeat:

Happens every time

>Fix:

Have the natd divert rule come after the lines associated with
# Stop RFC1918 nets on the outside interface
Here is a patch to /etc/rc.firewall


--- /usr/etc-chg/4.0158/etc/rc.firewall	Sat Jul 15 19:31:58 2000
+++ rc.firewall	Wed Jul 26 02:28:01 2000
@@ -178,6 +178,17 @@
 	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 
+	# Change the natd rule to here, otherwise the RFC1918 rules might
+	# kill valid packets made by natd
+	case ${natd_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${natd_interface}" ]; then
+		${fwcmd} delete 50
+	      	${fwcmd} add divert natd all from any to any via ${natd_interface}
+		fi
+		;;
+	esac
+
 	# Stop draft-manning-dsua-01.txt nets on the outside interface
 	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}


>Release-Note:
>Audit-Trail:

From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
To: freebsd-gnats-submit@FreeBSD.org, stephen@math.missouri.edu
Cc:  
Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with 
 natd
Date: Wed, 26 Jul 2000 17:04:25 -0500

 This is a multi-part message in MIME format.
 --------------5EB7029B0FF4405F3EB04E5B
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Sorry, what I have doesn't work - use this instead:
 
 
 
 
 -- 
 Stephen Montgomery-Smith
 Department of Mathematics, University of Missouri, Columbia, MO 65211
 Phone 573-882-4540, fax 573-882-1869
 http://www.math.missouri.edu/~stephen  stephen@math.missouri.edu
 --------------5EB7029B0FF4405F3EB04E5B
 Content-Type: text/plain; charset=us-ascii;
  name="ddd"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ddd"
 
 --- /usr/etc-chg/4.0158/etc/rc.firewall	Sat Jul 15 19:31:58 2000
 +++ rc.firewall-default	Wed Jul 26 17:01:10 2000
 @@ -170,6 +170,17 @@
  	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
  	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
  
 +	# Change the outgoing natd rule to here, otherwise the RFC1918
 +	# rules might kill valid packets made by natd
 +	case ${natd_enable} in
 +	[Yy][Ee][Ss])
 +		if [ -n "${natd_interface}" ]; then
 +		${fwcmd} delete 50
 +	      	${fwcmd} add divert natd all from any to any out via ${natd_interface}
 +		fi
 +		;;
 +	esac
 +
  	# Stop RFC1918 nets on the outside interface
  	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
  	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
 @@ -177,6 +188,16 @@
  	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
  	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
  	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 +
 +	# Change the incoming natd rule to here, otherwise the RFC1918
 +	# rules might kill valid packets made by natd
 +	case ${natd_enable} in
 +	[Yy][Ee][Ss])
 +		if [ -n "${natd_interface}" ]; then
 +	      	${fwcmd} add divert natd all from any to any in via ${natd_interface}
 +		fi
 +		;;
 +	esac
  
  	# Stop draft-manning-dsua-01.txt nets on the outside interface
  	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 
 --------------5EB7029B0FF4405F3EB04E5B--
 
 

From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
To: freebsd-gnats-submit@FreeBSD.org, stephen@math.missouri.edu
Cc:  
Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with 
 natd
Date: Wed, 26 Jul 2000 17:38:53 -0500

 This is a multi-part message in MIME format.
 --------------3AD3FE82376168543435C5B7
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Or an even better way - sorry for all my follow ups.
 --------------3AD3FE82376168543435C5B7
 Content-Type: text/plain; charset=us-ascii;
  name="ddd"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ddd"
 
 --- /usr/etc-chg/4.0158/etc/rc.firewall	Sat Jul 15 19:31:58 2000
 +++ rc.firewall-default	Wed Jul 26 17:35:27 2000
 @@ -171,12 +171,25 @@
  	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
  
  	# Stop RFC1918 nets on the outside interface
 -	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
  	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
 -	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
  	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
 -	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
  	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 +
 +	# Change the natd rule to here, otherwise the RFC1918
 +	# rules might kill valid packets made by natd
 +	case ${natd_enable} in
 +	[Yy][Ee][Ss])
 +		if [ -n "${natd_interface}" ]; then
 +		${fwcmd} delete 50
 +	      	${fwcmd} add divert natd all from any to any via ${natd_interface}
 +		fi
 +		;;
 +	esac
 +
 +	# Stop RFC1918 nets on the outside interface
 +	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
 +	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
 +	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
  
  	# Stop draft-manning-dsua-01.txt nets on the outside interface
  	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 
 --------------3AD3FE82376168543435C5B7--
 
 

From: Gregory Bond <gnb@itga.com.au>
To: stephen@math.missouri.edu
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with natd 
Date: Thu, 27 Jul 2000 09:38:44 +1000

 See http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 for an earlier PR with a 
 better solution to this problem.
 
 Someone really orta commit this.....  it comes up quite regularly.
 
 
 

From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
To: Gregory Bond <gnb@itga.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/20197: rc.firewall with firewall_type=simple doesn't work with 
 natd
Date: Wed, 26 Jul 2000 18:47:32 -0500

 Gregory Bond wrote:
 > 
 > See http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 for an earlier PR with a
 > better solution to this problem.
 > 
 > Someone really orta commit this.....  it comes up quite regularly.
 
 Actually I like the solution I offered (not mine) a bit better because
 it closes slightly more possible bad traffic.
 
 -- 
 Stephen Montgomery-Smith
 Department of Mathematics, University of Missouri, Columbia, MO 65211
 Phone 573-882-4540, fax 573-882-1869
 http://www.math.missouri.edu/~stephen  stephen@math.missouri.edu
 
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Jul 27 04:33:54 PDT 2000 
Responsible-Changed-Why:  
Ruslan, this one may interest you. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20197 
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Aug 4 07:05:21 PDT 2000 
State-Changed-Why:  
Duplicate of PR 13769. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20197 
>Unformatted:
 Stephen Montgomery-Smith
