Date: Tue, 25 Jul 2000 00:08:18 -0700 From: "Dan O'Connor" <dan@mostgraveconcern.com> To: <cjclark@alum.mit.edu>, "Stephen Montgomery-Smith" <stephen@math.missouri.edu> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Problems with natd and simple firewall Message-ID: <015601bff607$1c48cbc0$029b140a@danco>
next in thread | raw e-mail | index | archive | help
>Why not just block the RFC1918 addresses on the outer interface
>_before_ the divert rule?
I'm confused as to how ipfw treats packets with forwarding turned on, but
without NAT. Packets that aren't natted supposedly only make one trip
through the rules, so does ipfw check the packet as if it exists on both
interfaces (in on one, out on the other) at the same time?
If so, and I put the divert rule *after* the anti-spoofing and RFC1918
rules:
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add divert natd all from any to any via ${natd_interface}
And than attempt to connect to an external machine from a machine on my
inside net:
192.168.1.5:1025 -> 12.34.56.78:80
Won't the RFC1918 rule kill it before it gets natted (since it's
simultaneously 'in via iif' and 'out via oif')?
'man natd' seems to imply that the divert rule should come before any other
rule:
If you specify real firewall rules, it is best to specify line 2 at
the start of the script so that natd sees all packets before they
are dropped by the firewall.
In this case the RFC1918 rule would see the packet as if coming from the
local machine (and not as a simultaneous in-and-out packet).
--Dan
--
Dan O'Connor
On Matters of Most Grave Concern
http://www.mostgraveconcern.com
FreeBSD Cheat Sheets
http://www.mostgraveconcern.com/freebsd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?015601bff607$1c48cbc0$029b140a>