Date: Tue, 25 Jul 2000 12:23:15 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <Pine.BSF.4.21.0007251214390.27676-100000@snafu.adept.org> In-Reply-To: <397D4062.4A1FFFE2@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:
> > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
> > $fwcmd add divert natd all from any to any via ${natd_interface}
> Yes, I had the same idea over dinner. Trouble is, it doesn't work.
> I tried it.
Note that I'm not arguing this couldn't be clearer or that, possibly, the
code needs cleaned up in some way. I'm not arguing for or against such
statements - I haven't looked at the code, so I'm trying to offer advice
based only upon ipfw(8) and my lowly interpretation thereof...
With that in mind, consider the above rules...
A packet from an external host attempting to communicate with an inside,
privately addressed host will undergo the following:
* from outside machine to outside IP (in oif)
* from outside IP to inside IP (divert)
* delever to inside IP (out iif)
Given this behavior, the above rules will obviouslly not work, because the
'deny all from ANY' rule will deny packets from 'outside IP to inside IP'
which must take place according to the behavior described above.
-mrh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007251214390.27676-100000>