Hi,
On Feb 7, 2013, at 13:40, Ian Smith <smi...@nimnet.asn.au> wrote:
> On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
>> On Jan 31, 2013, at 16:03, Matthew Luckie <m...@luckie.org.nz> wrote:
>>>
>>> 00510 allow ip from me to not me out via em1
>>> 00550 divert 8668 ip from any to any via em1
>>>
>>> Rule 510 fixes it.
>>
>> Yep, it does. Can I ask someone to commit this to rc.firewall?
>
> The ruleset Matthew posted bears no resemblance to rc.firewall, so I
> don't see that (or how) it solves any generic problem.
sorry for having been imprecise. What I was asking for was this change:
--- /usr/src/etc/rc.firewall 2012-11-17 12:36:10.000000000 +0100
+++ rc.firewall 2013-02-06 11:35:45.000000000 +0100
@@ -155,6 +155,7 @@
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add 49 allow ip from me to not me out via
${natd_interface}
${fwcmd} add 50 divert natd ip4 from any to any via
${natd_interface}
fi
;;
>> (And I wonder if the rules for the ipfw kernel firewall need a
>> similar addition, because the system locks up under heavy network
>> load if I use that instead of natd.)
>
> Which rc.firewall ruleset are you referring to?
My rc.conf has:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="bce0"
With the patch above, that seems to work fine.
I tried to replace the natd_* lines with:
firewall_nat_enable="YES"
firewall_nat_interface="bce0"
which caused the machine to lock up under load, similar to when natd started
eating CPU cycles. This made me wonder if a similar patch to the above for the
firewall_nat_* case in rc.firewall might be needed.
> There certainly are
> problems with the 'simple' ruleset relating to use of $natd_enable vs
> $firewall_nat_enable (not to mention the denial of ALL icmp traffic)
> that I posted patches to a couple of years ago in ipfw@ to rc.firewall
> and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.
>
> I suggest following up to ipfw@ (cc'd) rather than net@
Will subscribe, thanks.
Lars
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
