From owner-freebsd-security  Mon Aug 17 16:02:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA13618
          for freebsd-security-outgoing; Mon, 17 Aug 1998 16:02:27 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA13611
          for <freebsd-security@FreeBSD.ORG>; Mon, 17 Aug 1998 16:02:23 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 6849 invoked by uid 1001); 17 Aug 1998 23:01:49 +0000 (GMT)
To: girgen@partitur.se
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: private network on router's external NIC?
In-Reply-To: Your message of "Tue, 18 Aug 1998 00:00:08 +0200"
References: <35D8A7E8.2DC50695@partitur.se>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Tue, 18 Aug 1998 01:01:49 +0200
Message-ID: <6847.903394909@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I have these commands in my ipfw setup, taken from the systems
> rc.firewall:
> 
>     # Stop RFC1918 nets on the outside interface
>     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
>     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 
> Makes sense to me. So, how do these ip numbers get out on the Internet?
> How do they get routed anywhere; they're supposed to be private?

Routing is normally done on *destination* address, so a *source* address
within the RFC 1918 address ranges is irrelevant to routing.

There are several reasons why such packets show up, e.g.:

- ISPs with the (bad) idea that they can use RFC 1918 for their internal
network links, because (supposedly) the addresses won't get out. Guess
what happens when you do a traceroute along one of these paths?

- Firewalls which leak internal addresses. I haven't seen these myself,
but have heard of this happening.

- Crackers using RFC 1918 addresses for breakins etc. because you won't
be able to trace the source address.

There are good reasons why some of us filter the RFC 1918 addresses on
our border routers.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message