Date: Tue, 18 Aug 1998 01:01:49 +0200 From: sthaug@nethelp.no To: girgen@partitur.se Cc: freebsd-security@FreeBSD.ORG Subject: Re: private network on router's external NIC? Message-ID: <6847.903394909@verdi.nethelp.no> In-Reply-To: Your message of "Tue, 18 Aug 1998 00:00:08 %2B0200" References: <35D8A7E8.2DC50695@partitur.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> I have these commands in my ipfw setup, taken from the systems
> rc.firewall:
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> Makes sense to me. So, how do these ip numbers get out on the Internet?
> How do they get routed anywhere; they're supposed to be private?
Routing is normally done on *destination* address, so a *source* address
within the RFC 1918 address ranges is irrelevant to routing.
There are several reasons why such packets show up, e.g.:
- ISPs with the (bad) idea that they can use RFC 1918 for their internal
network links, because (supposedly) the addresses won't get out. Guess
what happens when you do a traceroute along one of these paths?
- Firewalls which leak internal addresses. I haven't seen these myself,
but have heard of this happening.
- Crackers using RFC 1918 addresses for breakins etc. because you won't
be able to trace the source address.
There are good reasons why some of us filter the RFC 1918 addresses on
our border routers.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6847.903394909>