Make natd(8) "compatible" with firewall_type="simple".
PR: conf/13769, conf/20197
This commit is contained in:
parent
9c9c8212ca
commit
13fa4c5e31
@ -67,17 +67,25 @@ esac
|
||||
${fwcmd} -f flush
|
||||
|
||||
############
|
||||
# These rules are required for using natd. All packets are passed to
|
||||
# natd before they encounter your remaining rules. The firewall rules
|
||||
# will then be run again on each packet after translation by natd,
|
||||
# minus any divert rules (see natd(8)).
|
||||
# Network Address Translation. All packets are passed to natd(8)
|
||||
# before they encounter your remaining rules. The firewall rules
|
||||
# will then be run again on each packet after translation by natd
|
||||
# starting at the rule number following the divert rule.
|
||||
#
|
||||
case ${natd_enable} in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "${natd_interface}" ]; then
|
||||
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
|
||||
fi
|
||||
# For ``simple'' firewall type the divert rule should be put to a
|
||||
# different place to not interfere with address-checking rules.
|
||||
#
|
||||
case ${firewall_type} in
|
||||
[Ss][Ii][Mm][Pp][Ll][Ee])
|
||||
;;
|
||||
*)
|
||||
case ${natd_enable} in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "${natd_interface}" ]; then
|
||||
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
|
||||
############
|
||||
@ -171,27 +179,48 @@ case ${firewall_type} in
|
||||
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
|
||||
|
||||
# Stop RFC1918 nets on the outside interface
|
||||
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
|
||||
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
|
||||
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
|
||||
|
||||
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
|
||||
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
|
||||
# on the outside interface
|
||||
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
|
||||
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
|
||||
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
|
||||
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
|
||||
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
|
||||
|
||||
# Network Address Translation. This rule is placed here deliberately
|
||||
# so that it does not interfere with the surrounding address-checking
|
||||
# rules. If for example one of your internal LAN machines had its IP
|
||||
# address set to 192.0.2.1 then an incoming packet for it after being
|
||||
# translated by natd(8) would match the `deny' rule above. Similarly
|
||||
# an outgoing packet originated from it before being translated would
|
||||
# match the `deny' rule below.
|
||||
case ${natd_enable} in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "${natd_interface}" ]; then
|
||||
${fwcmd} add divert natd all from any to any via ${natd_interface}
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Stop RFC1918 nets on the outside interface
|
||||
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
|
||||
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
|
||||
|
||||
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
|
||||
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
|
||||
# on the outside interface
|
||||
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
|
||||
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
|
||||
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
|
||||
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
|
||||
|
||||
# Allow TCP through if setup succeeded
|
||||
${fwcmd} add pass tcp from any to any established
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user