Date: Tue, 18 Aug 1998 00:00:08 +0200 From: Palle Girgensohn <girgen@partitur.se> To: freebsd-security@FreeBSD.ORG Subject: private network on router's external NIC? Message-ID: <35D8A7E8.2DC50695@partitur.se>
next in thread | raw e-mail | index | archive | help
Hi!
I have a question. For some time, I've been filtering packages using
ipfw. The setup is a FreeBSD machine with two NICes that routes between
an external network, with this machine and a Cisco on, and our internal
LAN (which also has TRUE internet addresses). No private network number
stuff, no natd. Just plain routing.
Every once in a while, packages from 192.168.x.y on the external
interface are logged and deferred. They are mostly trying to reach the
http port of one of our web servers (inside), but also sometimes port
137-139 (netbios-*) and a few others. Are they really attempted
break-ins? All of them? They show up almost everyday, though in small
numbers (10-20, perhaps, usually from different ip numbers different
days).
I have these commands in my ipfw setup, taken from the systems
rc.firewall:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
Makes sense to me. So, how do these ip numbers get out on the Internet?
How do they get routed anywhere; they're supposed to be private?
/Palle
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35D8A7E8.2DC50695>