From owner-freebsd-security Tue Jul 25 12:49: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8CCF037B56C for ; Tue, 25 Jul 2000 12:49:05 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 7A3A69EE01; Tue, 25 Jul 2000 12:48:42 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 723F49B001; Tue, 25 Jul 2000 12:48:42 -0700 (PDT) Date: Tue, 25 Jul 2000 12:48:42 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D4214.48E908CC@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > Actually there is also a rule in rc.firewall: > > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > which the web site changed to > ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif} > I found that this change was unnecessary. Unnecessary, and perhaps unwanted if your LAN isn't fully trusted. The first rule will stop packets with source addresses of 192.168.0.0/16 going anywhere (in or out) on the outside interface. This effectively stops some DoS attacks AND disallows RFC1918 spoofing from your network. The second rule stops inbound (DoS) packets, but 'trusts' your LAN by allowing outbound (spoofed) packets. If your LAN is small and 'trusted', that may be okay, otherwise... You probably don't want to willingly make your network the source of a DoS. > But if you think about it logically, that change should be necessary. I'm not sure if this is logical... But here's my view of a packet sent from an inside host to an outside host (and everyone, please correct me if this is wrong, like I said, I've only been toying with ipfw for a couple weeks now): * from inside machine for outside machine (sent to inside IP/interface, which is the inside/private network's gw, 'in via iif') * from outside ip to outside machine (divert, sent 'out via oif') * delivered to outside machine That would seem to describe the packet's path as well as why the above rules behave as they do. The ruleset I pasted earlier (and am using now) catches inbound RFC1918 addresses, and allows everything out (check/keep-state). This is because my home LAN consists of only seven hosts at the moment (all touched only by me and my SO). If this was a publicly used LAN, I'd add specific deny/log rules for RFC1918 nets from inside hosts to stop and log DoS attempts. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message