From owner-freebsd-security Mon Jul 24 13:37:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 690E237B592 for ; Mon, 24 Jul 2000 13:37:46 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 035B59EE01; Mon, 24 Jul 2000 13:37:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id EEF1D9B001; Mon, 24 Jul 2000 13:37:21 -0700 (PDT) Date: Mon, 24 Jul 2000 13:37:21 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall In-Reply-To: <397C8F30.8DFCE0E9@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote: > which immediately gets killed by the rule in rc.firewall: > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} Wait... why is this actually killing it? Doesn't it appear as 'to 12.34.56.78 via oif', get inserted into your stack, then converted by natd and dumped out the iif? > The web site fixes this by changing the line to: > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} That's a completely different rule. The first rule blocks inbound packets with RFC1918 network numbers (attempt to stop spoofing). The latter stops outbound packets (RFC1918-compliant filtering). > Is this the corect way to deal with this? Does this leave the computer > open to spoofing? Is there some clever dynamic rule that could fix > this? Open to spoofing? That depends who you ask. Some would say it doesn't, since upstream routers should already be filtering RFC1918 nets (oh boy, that can sure start an argument - *nanog memories*), others would say it's a negligiable concern since DoS-type attacks with RFC1918 sources make up a small amount of actual observed attacks (most use spoofed sources targeted at perfectly valid network numbers). As for a dynamic rule... I have the following setup: divert 8668 ip from any to any via oif allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 # specific deny/logs to monitor port scans/etc check-state allow ip from oip to any keep-state allow ip from inw to any keep-state # specific allows i want deny ip from any to any This is still very much in development, and I've only been playing with ipfw a short while (should the keep-state lines be 'to any setup keep-state' instead of just 'to any keep-state'?), but this seems to work well for me. The result is a protected LAN which can do anything it wants (controls could easily be tighted if I chose by adding denys), but only receives traffic I dictate. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message