From nobody@FreeBSD.org  Sat Mar 27 08:33:43 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 506A616A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Mar 2004 08:33:43 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2FB7E43D2D
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Mar 2004 08:33:43 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i2RGXh72012806
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Mar 2004 08:33:43 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i2RGXhsW012805;
	Sat, 27 Mar 2004 08:33:43 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200403271633.i2RGXhsW012805@www.freebsd.org>
Date: Sat, 27 Mar 2004 08:33:43 -0800 (PST)
From: Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Handbook section on NAT incomplete
X-Send-Pr-Version: www-2.3

>Number:         64807
>Category:       docs
>Synopsis:       Handbook section on NAT incomplete
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 27 08:40:13 PST 2004
>Closed-Date:    Mon Feb 19 13:13:43 GMT 2007
>Last-Modified:  Mon Feb 19 13:13:43 GMT 2007
>Originator:     Vlad Manilici
>Release:        5.2.1
>Organization:
>Environment:
$ uname -a
FreeBSD <hostname> 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #10: Tue Mar 23 20:32:54 CET 2004 root@<hostname>:/usr/obj/usr/src/sys/<kernel>  i386

>Description:
The Handbook section on NAT:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
does not contain sufficient information to configure NAT on FreeBSD.

More specific:
1. the suggested firewall configuration ("OPEN") does not contain any
   redirection rule. Probably, the intention was "OpenClient".
2. it should be mentioned that NAT does not work with statefull rules.
3. NAT configuration with an "open" firewall is not enough in today's
   Internet. A set of rules that mixes NAT with filtering should be
   explained. Combining the two raises some problems not seen in any
   independently, and should definitely be explained.

Here is a working set of rules for NAT and some meaningful packet
filtering (of course, one could do better). The external interface
is "xl0", and the internal one "rl0". The internal network is
10.0.0/24.

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 divert 8668 ip from any to any via xl0
00500 allow ip from any to any frag
00600 allow ip from 10.0.0.0/24 to any in recv rl0
00700 allow ip from any to 10.0.0.0/24 out xmit rl0
00800 allow ip from any to 10.0.0.0/24 via xl0
00900 allow tcp from me to any setup out xmit xl0
01000 allow tcp from any to me dst-port 22 setup in recv xl0
01100 allow tcp from any to any established via xl0
01200 allow udp from any 53 to any via xl0
01300 allow udp from any to any dst-port 53 via xl0
01400 allow udp from any 68 to any via xl0
01500 allow udp from any to any dst-port 68 via xl0
01600 allow udp from any 123 to any via xl0
01700 allow udp from any to any dst-port 123 via xl0
01800 allow icmp from me to any icmptypes 8 out xmit xl0
01900 allow icmp from any to me icmptypes 0 in recv xl0
02000 allow icmp from any to any icmptypes 3,11 via xl0
02100 deny ip from any to any
65535 deny ip from any to any

Note that:
1. I used the "standard" loopback configuration in rc.firewall.
2. Diverting should be the first rule after loopback setup.
3. Rule 800, although it seems contradictory, is necessary (tested).
   To know why, one should explore how natd packet reinjection works.

>How-To-Repeat:
Give a beginner the Handbook and ask her to install NAT :)).
>Fix:
See above.
>Release-Note:
>Audit-Trail:

From: Marc Fonvieille <blackend@FreeBSD.org>
To: Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/64807: Handbook section on NAT incomplete
Date: Sat, 27 Mar 2004 18:38:46 +0100

 On Sat, Mar 27, 2004 at 08:33:43AM -0800, Vlad Manilici wrote:
 > 
 > >Description:
 > The Handbook section on NAT:
 > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
 > does not contain sufficient information to configure NAT on FreeBSD.
 > 
 > More specific:
 > 1. the suggested firewall configuration ("OPEN") does not contain any
 >    redirection rule. Probably, the intention was "OpenClient".
 > 2. it should be mentioned that NAT does not work with statefull rules.
 > 3. NAT configuration with an "open" firewall is not enough in today's
 >    Internet. A set of rules that mixes NAT with filtering should be
 >    explained. Combining the two raises some problems not seen in any
 >    independently, and should definitely be explained.
 > 
 > Here is a working set of rules for NAT and some meaningful packet
 > filtering (of course, one could do better). The external interface
 > is "xl0", and the internal one "rl0". The internal network is
 > 10.0.0/24.
 >
 [...]
 
 You are talking about packet filtering not only NAT, the aim of the
 mentioned section is to only cover NAT (natd(8)) not the configuration
 of a firewall (it's why the OPEN type was used).
 All examples are done with that point of view.
 
 If someone wants to add packet filtering the read of 
 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
 and /etc/rc.firewall will be enough since rc.firewall contains good
 example.  (Changing the OPEN type to SIMPLE or CLIENT does the trick)
 
 Marc
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Mon Feb 19 13:13:41 UTC 2007 
State-Changed-Why:  
Given Marc's reply and no additional feedback, I will close the PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64807 
>Unformatted:
