a couple /etc/rc.firewall questions

Hiroki Sato hrs at FreeBSD.org
Mon Aug 24 04:28:11 UTC 2015 

Don Lewis <truckman at FreeBSD.org> wrote
  in <201508240052.t7O0qsFF002623 at gw.catspoiler.org>:

tr> >  A TCP setup packet coming from a host on the internal LAN to the NAPT
tr> >  router falls into the last deny-all rule because it does not match if
tr> >  you added "out via ${oif}" to that rule.  Does the following
tr> >  additional rule work for you?
tr> >
tr> >  ${fwcmd} add pass tcp from any to any out via ${oif} setup
tr> >  ${fwcmd} add pass tcp from any to not me in via ${iif} setup
tr>
tr> That works for now, but won't do the correct thing when I subdivide my
tr> internal network because it will allow unrestricted connections between
tr> the internal subnets.  What I'd really like is something like:
tr>
tr> 	${fwcmd} add pass tcp from any to not me,${inet} setup
tr>
tr> but that isn't a valid rule.  I ended up adding a couple of deny
tr> rules for me and ${inet} before the wildcard pass allow rule.  I had to
tr> make sure that some other more specific rules allowing connections
tr> between me and the inside were before the new deny rules.

 Hmmm, I think "table" would be useful to restrict connections between
 the internal subnets in that case like:

  ## allow TCP setup going to outside network:
  ${fwcmd} add pass tcp from any to any out via ${oif} setup
  ## list of all internal subnets including NAPT router itself:
  ${fwcmd} table 1 flush
  ${fwcmd} table 1 add 192.168.1.1/32	# NAPT router
  ${fwcmd} table 1 add 192.168.3.0/24
  ${fwcmd} table 1 add 192.168.4.0/24
  ...
  ## allow TCP setup from the internal subnets to outside network:
  ${fwcmd} add pass tcp from "table(1)" to not "table(1)" in via ${iif} setup
  ##
  ## list of internal subnets which can connect to me:
  ${fwcmd} table 2 flush
  ${fwcmd} table 2 add 192.168.3.0/24
  ...
  ## allow TCP setup from some of the internal subnets to me:
  ${fwcmd} add pass tcp from "table(2)" to me in via ${iif} setup

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150824/09eef8c4/attachment.bin>

More information about the freebsd-net mailing list