From owner-freebsd-security Mon Jul 24 14:19:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id F418537BC01 for ; Mon, 24 Jul 2000 14:19:22 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id QAA86604; Mon, 24 Jul 2000 16:19:13 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <397CCEAC.ECC9CCA6@origen.com> Date: Mon, 24 Jul 2000 16:18:04 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Hoskins Cc: Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree with Stephen, this is an unaddressed concern as written, although a small one. > > The web site fixes this by changing the line to: > > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} > > That's a completely different rule. The first rule blocks inbound packets > with RFC1918 network numbers (attempt to stop spoofing). The latter stops > outbound packets (RFC1918-compliant filtering). Stephen is correct, that this is the fix given by the FreeBSD website to prevent reply packets which are translated by natd from being dropped by the ruleset. You are both correct that this fix is a different rule and would not stop an inbound packet forged to be from the 192.168.0 network. > > > Is this the corect way to deal with this? Does this leave the computer > > open to spoofing? Is there some clever dynamic rule that could fix > > this? > > Open to spoofing? That depends who you ask. Some would say it doesn't, > since upstream routers should already be filtering RFC1918 nets On the other hand, I do see packets hitting the other inbound RFC 1918 filters from time to time. Someone should have a talk with those routers... A low level concern, but still a concern > > As for a dynamic rule... I have the following setup: > > divert 8668 ip from any to any via oif > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > # specific deny/logs to monitor port scans/etc > check-state > allow ip from oip to any keep-state > allow ip from inw to any keep-state > # specific allows i want > deny ip from any to any This above looks promising - Is there a man page on using the state commands? -- Richard Martin dmartin@origenbio.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message