Date: Thu, 5 Feb 2004 14:54:32 -0500
From: "Matt Emmerton" <matt@gsicomp.on.ca>
To: "John" <john@starfire.mn.org>, <freebsd-net@freebsd.org>
Subject: Re: IPFW and NAT - blocking RFC 1918 ("unregistered") network thatmatches my own
Message-ID: <002601c3ec21$df9dea10$1200a8c0@gsicomp.on.ca>
References: <20040205134555.A28070@starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "John" <john@starfire.mn.org>
To: <freebsd-net@freebsd.org>
Sent: Thursday, February 05, 2004 2:45 PM
Subject: IPFW and NAT - blocking RFC 1918 ("unregistered") network
thatmatches my own
> I am up and running with ipfw 2 and natd, but not all is quite well.
>
> I can't figure out how to block "spoofed" packets from the outside
> that use the same RFC 1918 network as the one I'm translating to.
> When I try to put that rule on the exterior interface, it ends up
> blocking the packets after they are translated.
>
> Specifically, the network I am using falls in the 192.168.0.0/16 range.
> (I won't publish exactly which one: you only have 254 to try...)
> If, however, I put in
> ${fwcmd} add deny ip from any to 192.168.0.0/16 via ${oif}
> then I cut off my interior network entirely, due, presumably, to
> the pass through the rules after translation.
>
> I suspect that I need some combination of "in" or "recv," but I
> would like to actually UNDERSTAND what I'm doing instead of just
> trying combinations 'til it works. On the other hand, there are
> sysctl kernel parameters that might affect this behavior, or maybe
> other natd parameters - so maybe that's not even the ticket.
Your best resource is /etc/rc.firewall. Look at the "simple" configuration.
It has rules for RFC1918 nets both before and after the divert rule, and
explains why.
--
Matt Emmerton
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002601c3ec21$df9dea10$1200a8c0>