Date: Mon, 12 Oct 2015 14:55:32 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Are udp packets with non-routeable ip addresses valid on public network? Message-ID: <561BBBD4.8090708@infracaninophile.co.uk> In-Reply-To: <561BB03D.1060104@gmail.com> References: <561BB03D.1060104@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/10/12 14:06, Ernie Luzar wrote: > I am receiving unsolicited inbound udp packets with a "to ip address" > [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp > packets from that LAN computer pass through the firewall NAT as > expected. I added a firewall rule to block that packet and their are no= > outward signs of problems with that LAN computer. >=20 > On other LAN PC's that run ms/windows and facebook or yahoo are sending= > out bound udp packets with "from ip address" containing their LAN ip > address. I bock these also without any outward signs of problems. These= > packets are not being NAT'ed like other udp packets from that LAN PC ar= e. >=20 > I though non-routeable ip addresses are invalid on the public network. >=20 > Any ideas on what is occurring here? Do you mean you are receiving packets on the *external* interface of your firewall with an IP number for a host in the private address space on your internal lan? No, that shouldn't happen. RFC1918 addressed packets should not be routable on the Internet. It sounds as if your firewall might be letting un-NAT'ed traffic through itself for some combination of host and protocol, and you are somehow seeing responses. Or else someone has worked out what some of your internal addresses are and is trying to spoof your firewall -- but they'd have to be fairly close to you in network terms to even attempt th= at. Your firewall should reject such packets -- it's good practice to drop packets using private address space when they arrive from or depart to public networks, and also to drop packets that arrive at an 'impossible' interface according to the routing table. You can do that last bit fairly easily in pf(4) by something like: block in log quick on $ext_if from no-route to any block in log quick on $ext_if from urpf-failed to any Cheers, Matthew --qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWG7vdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn+VgP/jMK2RWi7IZ8DswPYvs/Nyew xxybvCSVvkaat01fEugwLXM+PF7C/9JtS92HSauC15tvOnZkQtR/O5297HsyFJtg 2D2jX2Cb7NgBhGE8qAoLkFkkMcVOPJpZExGnnzpsYgo5U9hmaOuu+32p2/o/bgrA ne1HXekDSAGSJyu55svnHniLZzQtz+56ZMNAVQuBV6jdvh+INV8bqg0Q7wkfzFOQ MdH4cQhZEhHjzA1AZtFzFXKkVVhMS9bhUh8ihSAhqtS7ZubdylF+cPXhRmgE95Im RjrIXrWzNegkCTzubEBy6h6wvyc9xHTCihB0r8Eo9mifUg2NVaADAI2ggDGx06k5 DQky/Y1u7Dy67IBU6aPL/4C577SCbYtidSMR1joerzqNKR3UHJfs6rOcKDxJLMAC yx0IW/Op6Kc5LhfGcajmT/zna4IktUkpGfZTLbH76vUuphWVUfgzR/NxWsFbFaAV WLPdJ/tLSGFjYDEfLddU3g7hwfTpHjDg5X+oyFz+gEHMHs0oP6RwL+EhxSkvIwYa iJL99+x7JP/BkIH3kC+C3eseTOP6UlLQOuk3uJ9dVx+INuqZBZKNQe6RBqNx/Whd Lh6EP0Cm4PDNzqONPgIy7ccVoF6o3vRpqEhDluoidvds/JVek7SY0Lk+mYzDaNSP 7mgXU4FdEp50Op7TiNeS =hlOT -----END PGP SIGNATURE----- --qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?561BBBD4.8090708>