From owner-freebsd-questions@freebsd.org  Mon Oct 12 13:55:57 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C53FA11EF0
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 12 Oct 2015 13:55:57 +0000 (UTC)
 (envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C4D5C639
 for <freebsd-questions@freebsd.org>; Mon, 12 Oct 2015 13:55:56 +0000 (UTC)
 (envelope-from m.seaman@infracaninophile.co.uk)
Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t9CDtfJe075401
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-questions@freebsd.org>; Mon, 12 Oct 2015 14:55:49 +0100 (BST)
 (envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=infracaninophile.co.uk
DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t9CDtfJe075401
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=infracaninophile.co.uk; s=201001-infracaninophile; t=1444658149;
 bh=ggq+i/gls0wS39Kzc8/XdMRN6qP2cz6AZsD8v9GM9iQ=;
 h=Subject:To:References:From:Date:In-Reply-To;
 z=Subject:=20Re:=20Are=20udp=20packets=20with=20non-routeable=20ip=
 20addresses=20valid=20on=20public=0D=0A=20network?|To:=20freebsd-q
 uestions@freebsd.org|References:=20<561BB03D.1060104@gmail.com>|Fr
 om:=20Matthew=20Seaman=20<m.seaman@infracaninophile.co.uk>|Date:=2
 0Mon,=2012=20Oct=202015=2014:55:32=20+0100|In-Reply-To:=20<561BB03
 D.1060104@gmail.com>;
 b=Rb36cWZoKLrF/Ba8K107Te9fdumEgaQjQsRKNz2MnUiAEiswvHjpHo3lMByCk3cxp
 Oiin82p6DZV7dYHg/eiYkA3fW00UZ4g8mC6RNiy4IymYEiCdJ7dNspxWR67bqknxWG
 4Hq3HNFXPiAIaieKF202SwzeV4n/12XxNzjm2O+o=
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 zero-gravitas.local
Subject: Re: Are udp packets with non-routeable ip addresses valid on public
 network?
To: freebsd-questions@freebsd.org
References: <561BB03D.1060104@gmail.com>
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
X-Enigmail-Draft-Status: N1110
Message-ID: <561BBBD4.8090708@infracaninophile.co.uk>
Date: Mon, 12 Oct 2015 14:55:32 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <561BB03D.1060104@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ"
X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no
 version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 13:55:57 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015/10/12 14:06, Ernie Luzar wrote:

> I am receiving unsolicited inbound udp packets with a "to ip address"
> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
> packets from that LAN computer pass through the firewall NAT as
> expected. I added a firewall rule to block that packet and their are no=

> outward signs of problems with that LAN computer.
>=20
> On other LAN PC's that run ms/windows and facebook or yahoo are sending=

> out bound udp packets with "from ip address" containing their LAN ip
> address. I bock these also without any outward signs of problems. These=

> packets are not being NAT'ed like other udp packets from that LAN PC ar=
e.
>=20
> I though non-routeable ip addresses are invalid on the public network.
>=20
> Any ideas on what is occurring here?

Do you mean you are receiving packets on the *external* interface of
your firewall with an IP number for a host in the private address space
on your internal lan?

No, that shouldn't happen.  RFC1918 addressed packets should not be
routable on the Internet.

It sounds as if your firewall might be letting un-NAT'ed traffic through
itself for some combination of host and protocol, and you are somehow
seeing responses.  Or else someone has worked out what some of your
internal addresses are and is trying to spoof your firewall -- but
they'd have to be fairly close to you in network terms to even attempt th=
at.

Your firewall should reject such packets -- it's good practice to drop
packets using private address space when they arrive from or depart to
public networks, and also to drop packets that arrive at an 'impossible'
interface according to the routing table.  You can do that last bit
fairly easily in pf(4) by something like:

block in log quick on $ext_if from no-route to any
block in log quick on $ext_if from urpf-failed to any

	Cheers,

	Matthew




--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJWG7vdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn+VgP/jMK2RWi7IZ8DswPYvs/Nyew
xxybvCSVvkaat01fEugwLXM+PF7C/9JtS92HSauC15tvOnZkQtR/O5297HsyFJtg
2D2jX2Cb7NgBhGE8qAoLkFkkMcVOPJpZExGnnzpsYgo5U9hmaOuu+32p2/o/bgrA
ne1HXekDSAGSJyu55svnHniLZzQtz+56ZMNAVQuBV6jdvh+INV8bqg0Q7wkfzFOQ
MdH4cQhZEhHjzA1AZtFzFXKkVVhMS9bhUh8ihSAhqtS7ZubdylF+cPXhRmgE95Im
RjrIXrWzNegkCTzubEBy6h6wvyc9xHTCihB0r8Eo9mifUg2NVaADAI2ggDGx06k5
DQky/Y1u7Dy67IBU6aPL/4C577SCbYtidSMR1joerzqNKR3UHJfs6rOcKDxJLMAC
yx0IW/Op6Kc5LhfGcajmT/zna4IktUkpGfZTLbH76vUuphWVUfgzR/NxWsFbFaAV
WLPdJ/tLSGFjYDEfLddU3g7hwfTpHjDg5X+oyFz+gEHMHs0oP6RwL+EhxSkvIwYa
iJL99+x7JP/BkIH3kC+C3eseTOP6UlLQOuk3uJ9dVx+INuqZBZKNQe6RBqNx/Whd
Lh6EP0Cm4PDNzqONPgIy7ccVoF6o3vRpqEhDluoidvds/JVek7SY0Lk+mYzDaNSP
7mgXU4FdEp50Op7TiNeS
=hlOT
-----END PGP SIGNATURE-----

--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ--