Date: Mon, 12 Oct 2015 08:16:39 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Are udp packets with non-routeable ip addresses valid on public network? Message-ID: <CADy1Ce4AHLewzix6D6UC_sukWvqqi4TNd5=HEEGOAzFQcxC2Pw@mail.gmail.com> In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk> References: <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 12, 2015 at 6:55 AM, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > On 2015/10/12 14:06, Ernie Luzar wrote: > >> I am receiving unsolicited inbound udp packets with a "to ip address" >> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp >> packets from that LAN computer pass through the firewall NAT as >> expected. I added a firewall rule to block that packet and their are no >> outward signs of problems with that LAN computer. >> >> On other LAN PC's that run ms/windows and facebook or yahoo are sending >> out bound udp packets with "from ip address" containing their LAN ip >> address. I bock these also without any outward signs of problems. These >> packets are not being NAT'ed like other udp packets from that LAN PC are. >> >> I though non-routeable ip addresses are invalid on the public network. >> >> Any ideas on what is occurring here? > > Do you mean you are receiving packets on the *external* interface of > your firewall with an IP number for a host in the private address space > on your internal lan? > > No, that shouldn't happen. RFC1918 addressed packets should not be > routable on the Internet. > > It sounds as if your firewall might be letting un-NAT'ed traffic through > itself for some combination of host and protocol, and you are somehow > seeing responses. Or else someone has worked out what some of your > internal addresses are and is trying to spoof your firewall -- but > they'd have to be fairly close to you in network terms to even attempt that. > > Your firewall should reject such packets -- it's good practice to drop > packets using private address space when they arrive from or depart to > public networks, and also to drop packets that arrive at an 'impossible' > interface according to the routing table. You can do that last bit > fairly easily in pf(4) by something like: > > block in log quick on $ext_if from no-route to any > block in log quick on $ext_if from urpf-failed to any > > Cheers, > > Matthew I'll go a bit further, and also recommend that your router outside your firewall, if you have one, as well as your firewall, should block all bogons, inbound and outbound: https://www.team-cymru.org/bogon-reference.html Definitely audit your firewall to make sure it isn't emitting un-NATed packets. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce4AHLewzix6D6UC_sukWvqqi4TNd5=HEEGOAzFQcxC2Pw>