natd broken for days

From: Sean McNeil <sean_at_mcneil.com> Date: Thu, 11 Nov 2004 05:25:23 -0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:21 UTC

It has been reported that both amd64 and i386 architectures will panic
in natd by jumping to address 0.  There has been no discussion since the
reports, however, and I was wondering if anyone is looking into it.
Should I file a bug report?

I have nothing special, just turned on some options in the kernel and
some things in rc.conf...

config file:

options         BRIDGE                  # bridge ethernet adapters

options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPDIVERT

/etc/rc.conf:

firewall_enable="YES"
firewall_type="/etc/fw/rc.firewall.rules"
firewall_quiet="NO"

natd_enable="YES"
natd_flags="-f /etc/fw/natd.conf"
natd_interface="dc0"

/etc/fw/rc.firewall.rules:

#set and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow all from any to any via lo0
add 00110 deny all from any to 127.0.0.0/8
add 00120 deny all from any to any not verrevpath in

add 00301 allow all from me to 192.168.1.0/24 via dc0
add 00302 deny all from any to 10.0.0.0/8 via dc0
add 00303 deny all from any to 172.16.0.0/12 via dc0
add 00304 deny all from any to 192.168.0.0/16 via dc0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd all from any to me in via dc0
add 01001 check-state

add 03001 allow all from 192.168.1.0/24 to me via dc0
add 03002 deny all from 10.0.0.0/8 to any via dc0
add 03003 deny all from 172.16.0.0/12 to any via dc0
add 03004 deny all from 192.168.0.0/16 to any via dc0
add 03005 deny all from 66.159.66.56/29 to any via dc0

# Allow TCP through if setup succeeded
add 04000 pass tcp from any to any established

# Allow IP fragments to pass through
add 04010 pass all from any to any frag

# allow all traffic from the local net to the router
add 04100 allow all from 192.168.10.0/24 to me in via re0

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 all from 192.168.10.0/24 to any in via re0 keep-state

# allow all outgoing traffic from the router
add 05000 allow all from me to any out via re0
add 05010 allow all from me to any out keep-state
add 60000 skipto 62000 all from any to any

# this is the NAT rule. Only outgoing packets from the local net will come here.
# First, nat them, then pass them on (again, you may choose to be more restrictive)
add 61000 divert natd all from 192.168.10.0/24 to any out via dc0

# this is a good packet
add 62000 allow all from any to any

/etc/fw/natd.conf:

unregistered_only
use_sockets
# dyamically open fw for ftp, irc
punch_fw 2000:50