firewall_nat_enable in rc.firewall

[Ian Smith]

On Fri, 27 Jan 2012, Pavel Timofeev wrote:
 > Hi all!
 > 
 > I have a small correction for /etc/rc.firewall
 > 
 > My conf
 > [hostname]# grep firewall /etc/rc.conf
 > firewall_enable="YES"
 > firewall_type="open"
 > firewall_nat_enable="YES"
 > firewall_nat_interface="re0"
 > firewall_nat_flags="same_ports reset"
 > 
 > [hostname]# ipfw show
 > 00050 5175447 4519882589 nat 123 ip4 from any to any via re0
 > 00100       0          0 allow ip from any to any via lo0
 > 00200       0          0 deny ip from any to 127.0.0.0/8
 > 00300       0          0 deny ip from 127.0.0.0/8 to any
 > 00400       0          0 deny ip from any to ::1
 > 00500       0          0 deny ip from ::1 to any
 > 00600       0          0 allow ipv6-icmp from :: to ff02::/16
 > 00700       0          0 allow ipv6-icmp from fe80::/10 to fe80::/10
 > 00800       1         76 allow ipv6-icmp from fe80::/10 to ff02::/16
 > 00900       0          0 allow ipv6-icmp from any to any ip6 icmp6types 1
 > 01000       0          0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
 > 65000     174      31790 allow ip from any to any
 > 65535       0          0 deny ip from any to any
 > 
 > It seems to me very strange that first rule is nat rule.

No, that's the right place (for this simple open one-rule nat setup).

 > Because the following rules won't be passed and they looks useless.

Make sure your 'sysctl net.inet.ip.fw.one_pass' is set to 0.  If not, 
run 'ipfw disable one_pass', and/or add 'net.inet.ip.fw.one_pass=0' to 
/etc/sysctl.conf to make it so, in order that all packets continue on
through the rest of the ruleset after NAT translation.

Those rules are far from useless.  The localhost rules allow proper and 
deny improper traffic via localhost, and the ipv6-icmp rules are deemed 
necessary.  (So should be some ipv4 icmp but that's another issue, and 
here you wind up allowing everything else including icmp anyway ..)

 > What do you think about this?
 > # diff -u /etc/rc.firewall /etc/rc.firewall.new
 > --- /etc/rc.firewall    2012-01-03 11:57:38.000000000 +0400
 > +++ /etc/rc.firewall.new        2012-01-27 11:53:40.000000000 +0400
 > @@ -169,7 +169,7 @@
 >                                 firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
 >                         fi
 >                         ${fwcmd} nat 123 config log ${firewall_nat_flags}
 > -                       ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
 > +                       ${fwcmd} add 64900 nat 123 ip4 from any to any via ${firewall_nat_interface}
 >                 fi
 >                 ;;
 >         esac

Doing that means any subsequent rules added without a specified rule 
number would be added after 64900.  This section is used for other than 
'open' firewall_type, and the placement of the NAT rule/s is crucial.

 > There are some situations when I want use
 > firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and
 > ports.
 > If nat rule were 64900, I'd had more numbers for my own rules.
 > I hope you are understand my english =)

I doubt firewall_coscripts is the best mechanism for that sort of thing, 
it's more for other scripts (like natd) that need to be loaded and later 
unloaded in correct order when enabling / disabling the firewall.

In any case you could start numbering your own rules from (say) 2000, 
either included in rc.firewall or probably better, in a separate script, 
in which case you'd need to number every rule (to stay below here 65000)

I'd likely add something like this to rc.firewall before line 65000:

[ -r /root/bin/myipfwconfig ] && . /root/bin/myipfwconfig

and have that file add (could be) unnumbered rules for your local 
additions, after the nat and essential localhost etc rules above.

cheers, Ian