Date: Mon, 24 Aug 1998 12:51:45 -0500 From: Kim Shrier <kim@tinker.com> To: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together Message-ID: <35E1A831.D12B41A7@tinker.com> References: <199808241508.RAA04739@trantor.stuyts.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul van der Zwan wrote: > That is the problem , if I deny rfc1918 addresses I also deny packets > translated by natd. There is AFIAK no way to recognized these > ,legitimate rfc1918 addressed, packets from those coming in on the same > interface containing an rfc1918 from the start. -- snip -- > This is the relevant part of my rules at the moment. > My laptop is using 192.168.200.95 and is I browse from that thing, the return > packets bounce against the commented line , which must be there to deny > rfc1918 packets coming in fromthe internet. > > add divert natd ip from any to any via tun0 > add allow ip from any to any via lo0 > add allow ip from any to any via de0 > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Regards > Paul > > -- You need to filter the rfc1918 address that are in the source field before you nat them. Also, you can save yourself some time by moving lo0 and 127.0.0.0/8 rules above the divert rule. Try the following: add allow ip from any to any via lo0 add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 add divert natd ip from any to any via tun0 add allow ip from any to any via de0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 Kim Shrier kim@tinker.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35E1A831.D12B41A7>