Date: Tue, 25 Jul 2000 02:30:28 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <397D4214.48E908CC@math.missouri.edu> References: <397C8F30.8DFCE0E9@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Stephen Montgomery-Smith wrote:
>
>
> # Stop RFC1918 nets on the outside interface
> ...........
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
>
> The web site fixes this by changing the line to:
>
> ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif}
>
Actually there is also a rule in rc.firewall:
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
which the web site changed to
${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif}
I found that this change was unnecessary.
But if you think about it logically, that change should be necessary.
Let's suppose the gateway's external ip is 12.34.56.78, and that
a computer on the internal net 10.0.0.2 wants to talk to some outside
computer 66.77.88.99. So 10.0.0.2 sends an ip packet:
10.0.0.2 to 66.77.88.99 via iif
I would think that the gateway sends this to
10.0.0.2 to 66.77.88.99 via oif
which then the divert rule changes to
12.34.56.78 to 66.77.88.99 via oif
This would be killed by the above rule.
But somehow, instead what happens is that the divert rule changes
10.0.0.2 to 66.77.88.99 via iif
directly to
12.34.56.78 to 66.77.88.99 via iif
I think that if the code that does this gets cleaned up, then it might
change to the more logical way, and then .......
--
Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen stephen@math.missouri.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397D4214.48E908CC>