Date: Mon, 24 Aug 1998 19:26:14 +0200 From: Paul van der Zwan <paulz@trantor.stuyts.nl> To: Neil Blakey-Milner <nbm@rucus.ru.ac.za> Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together Message-ID: <199808241726.TAA19285@trantor.stuyts.nl> In-Reply-To: Your message of "Mon, 24 Aug 1998 18:01:48 %2B0200." <19980824180148.A11376@rucus.ru.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon 1998-08-24 (17:08), Paul van der Zwan wrote: > > add divert natd ip from any to any via tun0 > > add allow ip from any to any via lo0 > > add allow ip from any to any via de0 > > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Ok, maybe I'm missing something here, but: > > Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via > your tun0 device? I assume this is a modem connection between your work and > home or something. > Tun0 is the modem connection to my ISP. My FreeBSD box is connected to a lan on the de0 interface containing some other computers, using 192.168.200.x as addresses. I don't want any rfc1918 addresses coming in or going out on the link to my ISP. That is the reason for the rules above ( which are a subset of all rules , they are followed by about 30 more) > You should be more interested in blocking the reserved IPs coming from other > devices, surely? That is what I am trying to do. But by enabling the commented rule above I also block packets translated by natd, which I don't want to block but want to allow. Only there is no way discriminate between packets having a rfc1918 destination from the start and those which get it from natd. > > You also might want to use rule numbers, to know which rules apply, and in > which order. As far as I remember, the most recently applied rule at a > number has precedence, and if you don't specify a number, it's given 0. Your > most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you > uncomment it). I had rules numbered but I found it easier to put them all in a file and use ipfw flush followed by ipfw filename to load them all at once, It is too much trouble renumbering lines in the file if I inserted more lines than I left space for. If I see a deny in the log I ususally use ipfw show if ith is not immediately clear which rule is triggered. > > Hope this helps. Not with my real problem , I'm afraid ;-) Thanks Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808241726.TAA19285>