From owner-freebsd-security  Tue Jul 25 12:23:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44])
	by hub.freebsd.org (Postfix) with ESMTP id 43BCF37B873
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 12:23:41 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by snafu.adept.org (Postfix, from userid 1000)
	id E557A9EE01; Tue, 25 Jul 2000 12:23:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by snafu.adept.org (Postfix) with ESMTP
	id DD8569B001; Tue, 25 Jul 2000 12:23:15 -0700 (PDT)
Date: Tue, 25 Jul 2000 12:23:15 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: Stephen Montgomery-Smith <stephen@math.missouri.edu>
Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
In-Reply-To: <397D4062.4A1FFFE2@math.missouri.edu>
Message-ID: <Pine.BSF.4.21.0007251214390.27676-100000@snafu.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:

> >         ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
> >         $fwcmd add divert natd all from any to any via ${natd_interface}
> Yes, I had the same idea over dinner.  Trouble is, it doesn't work.
> I tried it.

Note that I'm not arguing this couldn't be clearer or that, possibly, the
code needs cleaned up in some way.  I'm not arguing for or against such
statements - I haven't looked at the code, so I'm trying to offer advice
based only upon ipfw(8) and my lowly interpretation thereof...

With that in mind, consider the above rules...

A packet from an external host attempting to communicate with an inside,
privately addressed host will undergo the following:

* from outside machine to outside IP (in oif)
* from outside IP to inside IP (divert)
* delever to inside IP (out iif)

Given this behavior, the above rules will obviouslly not work, because the
'deny all from ANY' rule will deny packets from 'outside IP to inside IP'
which must take place according to the behavior described above.

-mrh



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message