From nobody@FreeBSD.org  Mon Aug 19 18:46:40 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DD5BA37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 19 Aug 2002 18:46:40 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E64B43E70
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 19 Aug 2002 18:46:40 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g7K1kdOT041566
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 19 Aug 2002 18:46:39 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g7K1kdfB041565;
	Mon, 19 Aug 2002 18:46:39 -0700 (PDT)
Message-Id: <200208200146.g7K1kdfB041565@www.freebsd.org>
Date: Mon, 19 Aug 2002 18:46:39 -0700 (PDT)
From: Jed Clear <clear@netaxs.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: natd -punch_fw "bug"
X-Send-Pr-Version: www-1.0

>Number:         41807
>Category:       docs
>Synopsis:       [patch] natd(8): document natd -punch_fw "bug"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trhodes
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 19 18:50:01 PDT 2002
>Closed-Date:    Thu May 29 10:54:55 UTC 2008
>Last-Modified:  Thu May 29 10:54:55 UTC 2008
>Originator:     Jed Clear
>Release:        4.5-RELEASE-p19
>Organization:
Dis-
>Environment:
FreeBSD fbsdk6 4.5-RELEASE-p19 FreeBSD 4.5-RELEASE-p19 #12: Mon Aug 19 19:18:43 EDT 2002     root@fbsdk6:/usr/obj/usr/src/sys/K6  i386      
>Description:
The natd option -punch_fw won't work with kernel securelevel 3

This is really a feature of securelevel 3.
>How-To-Repeat:
Setup working natd -punch_fw at securelevel 2 or lower on the firewall
Go to securelevel 3
Attempt active FTP from client inside to outside, fails.
>Fix:
"Fix" is to add a note to the natd man page under the -punch_fw option
that securelevel 3 will disable punch_fw.

Long term:  If ipfw can add dynamic "keep-state" routes in securelevel 3,
why can't the NAT function?  Note I didn't say natd here.
>Release-Note:
>Audit-Trail:

From: Hiten Pandya <hiten@angelica.unixdaemons.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/41807: natd -punch_fw "bug"
Date: Fri, 27 Sep 2002 12:10:37 -0400

 --/04w6evG8XlLl3ft
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 I am providing a delta, to add the "first" part of the "Fix".
 Providing two line fixes is not always good, but it has come to my
 attention that this PR has not been touched for a while, yet the
 solution is simple; for whatever reasons ...
 
 On that note, I do not know about the second part of the "Fix" (i.e.
 about the keep-state stuff).  Maybe someone more knowledgeable in this
 area of FreeBSD can comment on this.
 
 Patch also available at:
 http://www.unixdaemons.com/~hiten/work/diffs/natd.8.patch
 
 -- 
 Hiten Pandya
 http://www.unixdaemons.com/~hiten
 hiten@unixdaemons.com, hiten@uk.FreeBSD.org, hiten@xMach.org
 PGP: http://pgp.mit.edu:11371/pks/lookup?search=Hiten+Pandya&op=index
 
 --/04w6evG8XlLl3ft
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="natd.8.patch"
 
 Index: natd.8
 ===================================================================
 RCS file: /home/ncvs/src/sbin/natd/natd.8,v
 retrieving revision 1.55
 diff -u -r1.55 natd.8
 --- natd.8	2002/08/13 14:10:36	1.55
 +++ natd.8	2002/09/27 15:54:17
 @@ -464,6 +464,10 @@
  .Ar basenumber
  will be used for punching firewall holes.
  The range will be cleared for all rules on startup.
 +.Pp
 +.Sy NOTE :
 +When the kernel securelevel is 3, this option will have 
 +no effect.
  .It Fl log_ipfw_denied
  Log when a packet cannot be re-injected because an
  .Xr ipfw 8
 
 --/04w6evG8XlLl3ft--
State-Changed-From-To: open->patched 
State-Changed-By: trhodes 
State-Changed-When: Mon Jan 21 23:09:27 UTC 2008 
State-Changed-Why:  
I have made a commit to the manual page.  In my opinion, this is not a bug, 
it's how securelevel works.  Thanks! 


Responsible-Changed-From-To: freebsd-doc->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Mon Jan 21 23:09:27 UTC 2008 
Responsible-Changed-Why:  
Assign to me, MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41807 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/41807: commit references a PR
Date: Mon, 21 Jan 2008 23:09:25 +0000 (UTC)

 trhodes     2008-01-21 23:09:18 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/natd            natd.8 
   Log:
   Note that the punch_fw option does not work in securelevel 3 and Xref init.8.
   Bump .Dd.
   
   PR:             41807
   
   Revision  Changes    Path
   1.66      +6 -1      src/sbin/natd/natd.8
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: gavin 
State-Changed-When: Thu May 29 10:52:00 UTC 2008 
State-Changed-Why:  
Fixed in -HEAD, and was MFC'd to RELENG_7 and RELENG_6 Mar 4th 2008, 
so will appear in FreeBSD 6.4 and 7.1. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41807 
>Unformatted:
