Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Aug 1998 18:01:48 +0200
From:      Neil Blakey-Milner <nbm@rucus.ru.ac.za>
To:        Paul van der Zwan <paulz@trantor.stuyts.nl>
Cc:        security@FreeBSD.ORG
Subject:   Re: natd and ipfw rules not working together
Message-ID:  <19980824180148.A11376@rucus.ru.ac.za>
In-Reply-To: <199808241508.RAA04739@trantor.stuyts.nl>; from Paul van der Zwan on Mon, Aug 24, 1998 at 05:08:49PM %2B0200
References:  <19980824145009.A25487@rucus.ru.ac.za> <199808241508.RAA04739@trantor.stuyts.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon 1998-08-24 (17:08), Paul van der Zwan wrote:
> add divert natd ip from any to any via tun0
> add allow     ip   from any to any via lo0
> add allow     ip   from any to any via de0
> add deny log  ip   from 127.0.0.0/8 to 127.0.0.0/8
> add deny log  all  from 192.168.0.0:255.255.0.0 to any in recv tun0
> #add deny log  all  from any to 192.168.0.0:255.255.0.0 in recv tun0
> add deny log  all  from 172.16.0.0:255.240.0.0 to any in recv tun0
> add deny log  all  from any to 172.16.0.0:255.240.0.0 in recv tun0
> add deny log  all  from 10.0.0.0:255.0.0.0 to any in recv tun0
> add deny log  all  from any to 10.0.0.0:255.0.0.0 in recv tun0

Ok, maybe I'm missing something here, but:

Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via
your tun0 device?  I assume this is a modem connection between your work and
home or something.

You should be more interested in blocking the reserved IPs coming from other
devices, surely?

You also might want to use rule numbers, to know which rules apply, and in
which order.  As far as I remember, the most recently applied rule at a
number has precedence, and if you don't specify a number, it's given 0.  Your
most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you
uncomment it).

Hope this helps.

Neil
-- 
Neil Blakey-Milner
nbm@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980824180148.A11376>