DragonFly BSD
DragonFly users List (threaded) for 2005-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: natd and open firewall problem


From: justin@xxxxxxxxxxxxxxxxxx
Date: Sat, 26 Feb 2005 09:08:53 -0500 (EST)

> Yo that probably ain't that good.
> It's not the only problem there is in there though.
> That's why one can override it.

>          ${fwcmd} add 1 pass all from any to any

I'm not terribly familiar with the topic, but doesn't ipfw stop matching
after reaching this rule?  i.e. since all packets are passed, and they
encounter this rule first, they won't see any other rule - including the
NAT divert rule.

A "pass all any to any" rule shouldn't be needed, as the instructions
mention a 'IPFIREWALL_DEFAULT_TO_ACCEPT' kernel option that does the same
thing, except as the last rule, not the first.  My machine does have that.

Looking at the FreeBSD cvsweb, and our rc.firewall before version 1.3, it
does just that in an open situation:

case ${firewall_type} in
[Oo][Pp][Ee][Nn])
	setup_loopback
	${fwcmd} add 65000 pass all from any to any
	;;

Andreas - it looks like your last changeset is where the "add 1 ..." rule
came from.  Why did it go from rule 65000 to 1?  Any objection to me
changing it back?




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]