From owner-freebsd-security  Tue Jul 25 17: 7:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id 5EE5B37BC6C
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 17:07:05 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA08510;
	Tue, 25 Jul 2000 20:07:02 -0400 (EDT)
	(envelope-from wollman)
Date: Tue, 25 Jul 2000 20:07:02 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200007260007.UAA08510@khavrinen.lcs.mit.edu>
To: Bill Fumerola <billf@chimesnet.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
In-Reply-To: <20000725193941.P51462@jade.chc-chimes.com>
References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org>
	<200007252128.OAA52048@gndrsh.dnsmgr.net>
	<20000725193941.P51462@jade.chc-chimes.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Tue, 25 Jul 2000 19:39:41 -0400, Bill Fumerola <billf@chimesnet.com> said:

> (short of checking the route back before allowing the packet, which is more
> costly etc etc, cisco has something that does this).

Yep.  Great feature, and it wouldn't be at all hard to implement in
FreeBSD (it should be pretty obvious how to add the check in
ip_forward()).  Of course, even if you do that, you still need to
filter out the ``bad'' addresses:

Extended IP access list no-martians-dos-ai
    deny ip 0.0.0.0 0.255.255.255 any (66130 matches)
    deny ip 127.0.0.0 0.255.255.255 any (235210 matches)
    deny ip 192.0.2.0 0.0.0.255 any (2 matches)
    deny ip 10.0.0.0 0.255.255.255 any (1435097 matches)
    deny ip 172.16.0.0 0.15.255.255 any (686656 matches)
    deny ip 192.168.0.0 0.0.255.255 any (1461597 matches)
    deny ip 169.254.0.0 0.0.255.255 any (92100 matches)
    deny ip 224.0.0.0 15.255.255.255 any (653608 matches)
    deny ip any 128.52.0.255 0.0.255.0 (6266340 matches)
    [private stuff deleted]
    permit ip any any (82311204 matches)

(This is a bit misleading: I'm fairly certain that the last counter
has already wrapped, so the proportion is actually around a tenth of a
percent.)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message