From owner-freebsd-security Mon Jul 24 11:47:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 0515E37BA5D for ; Mon, 24 Jul 2000 11:47:15 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000724184713.BBDY11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Mon, 24 Jul 2000 11:47:13 -0700 Message-ID: <397C8F30.8DFCE0E9@math.missouri.edu> Date: Mon, 24 Jul 2000 13:47:12 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Problems with natd and simple firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I recently tried to get natd to work with the default rc.firewall that comes with FreeBSD 4.1RC, and it didn't work. I found the problem, from looking at the web site http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw which has a cure, but I wonder if there are other ways to fix it. In any case, the rc.firewall is currently seriously deficient. Here is the setup: my external network has net:mask = 12.34.56.0/24 and my internal network has net:mask = 192.168.1/24 Now, suppose I have established a connection: 192.168.1.2:4444 to 34.56.78.90:22 natd changes this to 12.34.56.78:4444 to 34.56.78.90:22 Now a piece of tcp comes in: 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface natd converts this to 34.56.78.90:22 to 192.168.1.2:4444 via outside-interface which immediately gets killed by the rule in rc.firewall: # Stop RFC1918 nets on the outside interface ........... ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} The web site fixes this by changing the line to: ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} Is this the corect way to deal with this? Does this leave the computer open to spoofing? Is there some clever dynamic rule that could fix this? Or is there some option to natd that would change 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface to 34.56.78.90:22 to 192.168.1.2:4444 via inside-interface ? I think that the last option would be the best, and if natd does not allow it, maybe it should be added to the program. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message