Date: Mon, 24 Jul 2000 13:37:21 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall Message-ID: <Pine.BSF.4.21.0007241258250.24335-100000@snafu.adept.org> In-Reply-To: <397C8F30.8DFCE0E9@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote:
> which immediately gets killed by the rule in rc.firewall:
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
Wait... why is this actually killing it? Doesn't it appear as 'to
12.34.56.78 via oif', get inserted into your stack, then converted by natd
and dumped out the iif?
> The web site fixes this by changing the line to:
> ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif}
That's a completely different rule. The first rule blocks inbound packets
with RFC1918 network numbers (attempt to stop spoofing). The latter stops
outbound packets (RFC1918-compliant filtering).
> Is this the corect way to deal with this? Does this leave the computer
> open to spoofing? Is there some clever dynamic rule that could fix
> this?
Open to spoofing? That depends who you ask. Some would say it doesn't,
since upstream routers should already be filtering RFC1918 nets (oh boy,
that can sure start an argument - *nanog memories*), others would say it's
a negligiable concern since DoS-type attacks with RFC1918 sources make up
a small amount of actual observed attacks (most use spoofed sources
targeted at perfectly valid network numbers).
As for a dynamic rule... I have the following setup:
divert 8668 ip from any to any via oif
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
# specific deny/logs to monitor port scans/etc
check-state
allow ip from oip to any keep-state
allow ip from inw to any keep-state
# specific allows i want
deny ip from any to any
This is still very much in development, and I've only been playing with
ipfw a short while (should the keep-state lines be 'to any setup
keep-state' instead of just 'to any keep-state'?), but this seems to work
well for me.
The result is a protected LAN which can do anything it wants (controls
could easily be tighted if I chose by adding denys), but only receives
traffic I dictate.
-mrh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007241258250.24335-100000>