From owner-freebsd-net Fri Mar 31 6:20:52 2000 Delivered-To: freebsd-net@freebsd.org Received: from vidle.i.cz (vidle.i.cz [193.179.36.138]) by hub.freebsd.org (Postfix) with ESMTP id BF0B137B8A1 for ; Fri, 31 Mar 2000 06:20:40 -0800 (PST) (envelope-from mm@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id DA5A830703 for ; Fri, 31 Mar 2000 16:20:39 +0200 (CEST) Received: from woody.i.cz (woody.i.cz [192.168.18.29]) by ns.i.cz (Postfix) with ESMTP id DB82336416 for ; Fri, 31 Mar 2000 16:20:38 +0200 (CEST) Content-Length: 732 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200003311406.PAA02684@hak.lan.Awfulhak.org> Date: Fri, 31 Mar 2000 16:20:38 +0200 (MET DST) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31-Mar-00 Brian Somers wrote: > In fact, there's a bug in libalias. Packets destined to anything > that's not redirected (with PacketAliasRedirectAddr() or implicitly) > should be redirected to the alias address according to the > documentation. > > This is now reality (as of about a minute ago). There is possibly another bug in natd/libalias. Incoming ICMP packets are being translated and forwarded if there is some "redirect address" configured even if "deny-incoming" is specified. TCP/UDP packets are denied correctly. I haven't had enough time to inspect this possible problem more thoroughly so I haven't produced any PR yet. Maybe somebody else has more time ... :-) Martin --- [PGP KeyID F3F409C4] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message