From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 01:40:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83E2116A4B3 for ; Mon, 27 Oct 2003 01:40:39 -0800 (PST) Received: from mail.dwec.ru (mail.dwec.ru [194.84.175.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74E043F85 for ; Mon, 27 Oct 2003 01:40:37 -0800 (PST) (envelope-from freebsd@dwec.ru) Received: (from root@localhost) by mail.dwec.ru (8.11.6/8.11.6/no info ;)) id h9R9eZl45438 for freebsd-ipfw@freebsd.org.KAV; Mon, 27 Oct 2003 12:40:35 +0300 (MSK) (envelope-from freebsd@dwec.ru) Received: from admin (gw [194.84.175.30]) by mail.dwec.ru (8.11.6/8.11.6/no info ;)) with SMTP id h9R9eZT45427 for ; Mon, 27 Oct 2003 12:40:35 +0300 (MSK) (envelope-from freebsd@dwec.ru) Message-ID: <020201c39c6e$5f0fea40$080ba8c0@admin> From: To: References: <3F833434.5090506@tenebras.com> Date: Mon, 27 Oct 2003 12:40:22 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4927.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Subject: Re: Strange leakage of private source addresses w/ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:40:39 -0000 Ok, maybe not THAT important but definitely a Bad Surprise. Here's the sample (and in current configuration only ICMP packets from time to time are being passed through unaltered): snort: [1:0:0] POSSIBLE address leakage - ICMP {ICMP} 192.168.5.2 -> 208.115.104.193 [**] POSSIBLE address leakage - ICMP [**] 10/25-22:55:08.782139 192.168.5.2 -> 208.115.104.193 ICMP TTL:255 TOS:0x0 ID:17365 IpLen:20 DgmLen:60 Type:11 Code:0 TTL EXCEEDED IN TRANSIT 192.168.5.2 is Cisco 2509 if it matters. box details: ipfw2+natd, acts as a gateway. OS version 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0: Thu Sep 25 08:58:21 MSD 2003,but it doesn't matter as I've seen this behaviour before. PS I can provide more details if needed. > > This doesn't have a (user-) noticeable impact on traffic, but > > installing a silent network recorder outside my firewall shows that > > some RFC 1918 addrs are getting through. > don't worry, just block them on the external interface. > > > I'll post details when I've got them, but I'm wondering if anyone > > else has seen this? > it happens, and with my installation they are coming from the outside. > clemens