From owner-freebsd-security  Tue Jul 25  0:30:33 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66])
	by hub.freebsd.org (Postfix) with ESMTP id 90EF837B9DD
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 00:30:28 -0700 (PDT)
	(envelope-from stephen@math.missouri.edu)
Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com
          (InterMail vM.4.01.03.00 201-229-121) with ESMTP
          id <20000725073028.GHNT11071.mail.rdc1.il.home.com@math.missouri.edu>
          for <freebsd-security@FreeBSD.ORG>;
          Tue, 25 Jul 2000 00:30:28 -0700
Message-ID: <397D4214.48E908CC@math.missouri.edu>
Date: Tue, 25 Jul 2000 02:30:28 -0500
From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
References: <397C8F30.8DFCE0E9@math.missouri.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Stephen Montgomery-Smith wrote:
> 
> 
>         # Stop RFC1918 nets on the outside interface
>         ...........
>         ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
> 
> The web site fixes this by changing the line to:
> 
>         ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif}
> 

Actually there is also a rule in rc.firewall:

         ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
which the web site changed to
         ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif}
I found that this change was unnecessary.

But if you think about it logically, that change should be necessary.
Let's suppose the gateway's external ip is 12.34.56.78, and that 
a computer on the internal net 10.0.0.2 wants to talk to some outside
computer 66.77.88.99.  So 10.0.0.2 sends an ip packet:

10.0.0.2 to 66.77.88.99 via iif
I would think that the gateway sends this to
10.0.0.2 to 66.77.88.99 via oif
which then the divert rule changes to
12.34.56.78 to 66.77.88.99 via oif
This would be killed by the above rule.

But somehow, instead what happens is that the divert rule changes
10.0.0.2 to 66.77.88.99 via iif
directly to
12.34.56.78 to 66.77.88.99 via iif

I think that if the code that does this gets cleaned up, then it might
change to the more logical way, and then .......

-- 
Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen  stephen@math.missouri.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message