From owner-freebsd-security Sun Jul 8 5:25:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id A7C3C37B408 for ; Sun, 8 Jul 2001 05:25:39 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f68CRXx28729; Sun, 8 Jul 2001 08:27:33 -0400 (EDT) Date: Sun, 8 Jul 2001 08:27:33 -0400 (EDT) From: Ralph Huntington To: steve Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter/IPNat and rdr In-Reply-To: <3B47EC3A.2734754F@clublinux.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The way ipfilter processes rules, a rule takes effect only if it is not overridden by a subsequent rule, unless the 'quick' keyword is used. If the 'quick' keywork is used, then the rule takes effect immediately and no further rule processing occurs for that packet. So how about something like this: block in on ep0 from any to 192.168.0.0/16 pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 ... The first rule blocks traffic to the 192.168 net coming in through your public interface, but the next rule overrides lets the packet in IF it is bound for port 80 at that partiucular address. You may or may not want the quick keyword in that second rule, depending on whether or not you wish to do any further filtering on those packets bound for your web server. Ralph > pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 > flags S keep state keep frags > > However, because NAT occurs before the filtering, I can no longer have a > rule to prevent packets from the outside that contain a destination IP > on my internal network from passing through my firewall and entering my > internal network like this: > > block in quick on ep0 from any to 192.168.0.0/16 > > I realize that packets with a source or destination of 192.168.0.0/16 > should be dropped by routers on the internet, but I know this doesn't > always happen as our firewall at work has recorded such packets in the > past. > > Am I mis-understanding how IPFilter/IPNat work together correctly? If > so, is there a way around this problem? If not, would the following > provide the protection I'm looking for while still allowing people to > access my web server from the outside? > > pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 > flags S keep state keep frags > block in quick on ep0 from any to 192.168.0.0/16 > > This would prevent any packet from the outside with a destination > address of my internal network from passing through the firewall unless > it was specifically going to port 80 on my web server right? > > Please CC me on any replies as I'm not currently subscribed to the list. > > Thanks in advance, > Steve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message