Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Jul 2000 16:18:04 -0700
From:      Richard Martin <dmartin@origen.com>
To:        Mike Hoskins <mike@adept.org>
Cc:        Stephen Montgomery-Smith <stephen@math.missouri.edu>, freebsd-security@FreeBSD.ORG
Subject:   Re: Problems with natd and simple firewall
Message-ID:  <397CCEAC.ECC9CCA6@origen.com>
References:  <Pine.BSF.4.21.0007241258250.24335-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
I agree with Stephen, this is an unaddressed concern as written, although a
small one.

> > The web site fixes this by changing the line to:
> >       ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif}
>
> That's a completely different rule.  The first rule blocks inbound packets
> with RFC1918 network numbers (attempt to stop spoofing).  The latter stops
> outbound packets (RFC1918-compliant filtering).

Stephen is correct, that this is the fix given by the FreeBSD website to
prevent reply packets which are translated by natd from being dropped by the
ruleset. You are both correct that this fix is a different rule and would not
stop an inbound packet forged to be from the 192.168.0 network.

>
> > Is this the corect way to deal with this?  Does this leave the computer
> > open to spoofing?  Is there some clever dynamic rule that could fix
> > this?
>
> Open to spoofing?  That depends who you ask.  Some would say it doesn't,
> since upstream routers should already be filtering RFC1918 nets

On the other hand, I do see packets hitting the other inbound RFC 1918 filters
from time to time.  Someone should have a talk with those routers...  A low
level concern, but still a concern

>
> As for a dynamic rule...  I have the following setup:
>
> divert 8668 ip from any to any via oif
> allow ip from any to any via lo0
> deny ip from any to 127.0.0.0/8
> # specific deny/logs to monitor port scans/etc
> check-state
> allow ip from oip to any keep-state
> allow ip from inw to any keep-state
> # specific allows i want
> deny ip from any to any

This above looks promising - Is there a man page on using the state commands?

--
Richard Martin       dmartin@origenbio.com

OriGen, inc.         Tel: +1 512 474 7278
2525 Hartford Rd.    Fax: +1 512 708 8522
Austin, TX 78703



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397CCEAC.ECC9CCA6>