From owner-freebsd-security Tue Jul 25 0: 8:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id D900537B9DD for ; Tue, 25 Jul 2000 00:08:31 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.20.155.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id AAA00806; Tue, 25 Jul 2000 00:08:18 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <015601bff607$1c48cbc0$029b140a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: , "Stephen Montgomery-Smith" Cc: Subject: Re: Problems with natd and simple firewall Date: Tue, 25 Jul 2000 00:08:18 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Why not just block the RFC1918 addresses on the outer interface >_before_ the divert rule? I'm confused as to how ipfw treats packets with forwarding turned on, but without NAT. Packets that aren't natted supposedly only make one trip through the rules, so does ipfw check the packet as if it exists on both interfaces (in on one, out on the other) at the same time? If so, and I put the divert rule *after* the anti-spoofing and RFC1918 rules: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add divert natd all from any to any via ${natd_interface} And than attempt to connect to an external machine from a machine on my inside net: 192.168.1.5:1025 -> 12.34.56.78:80 Won't the RFC1918 rule kill it before it gets natted (since it's simultaneously 'in via iif' and 'out via oif')? 'man natd' seems to imply that the divert rule should come before any other rule: If you specify real firewall rules, it is best to specify line 2 at the start of the script so that natd sees all packets before they are dropped by the firewall. In this case the RFC1918 rule would see the packet as if coming from the local machine (and not as a simultaneous in-and-out packet). --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com FreeBSD Cheat Sheets http://www.mostgraveconcern.com/freebsd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message