Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Aug 1998 12:51:45 -0500
From:      Kim Shrier <kim@tinker.com>
To:        security@FreeBSD.ORG
Subject:   Re: natd and ipfw rules not working together
Message-ID:  <35E1A831.D12B41A7@tinker.com>
References:  <199808241508.RAA04739@trantor.stuyts.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Paul van der Zwan wrote:
> That is the problem , if I deny rfc1918 addresses I also deny packets
> translated by natd. There is AFIAK no way to recognized these
> ,legitimate rfc1918 addressed, packets from those coming in on the same
> interface containing an rfc1918 from the start.

-- snip --

> This is the relevant part of my rules at the moment.
> My laptop is using 192.168.200.95 and is I browse from that thing, the return
> packets bounce against the commented line , which must be there to deny
> rfc1918 packets coming in fromthe internet.
> 
> add divert natd ip from any to any via tun0
> add allow     ip   from any to any via lo0
> add allow     ip   from any to any via de0
> add deny log  ip   from 127.0.0.0/8 to 127.0.0.0/8
> add deny log  all  from 192.168.0.0:255.255.0.0 to any in recv tun0
> #add deny log  all  from any to 192.168.0.0:255.255.0.0 in recv tun0
> add deny log  all  from 172.16.0.0:255.240.0.0 to any in recv tun0
> add deny log  all  from any to 172.16.0.0:255.240.0.0 in recv tun0
> add deny log  all  from 10.0.0.0:255.0.0.0 to any in recv tun0
> add deny log  all  from any to 10.0.0.0:255.0.0.0 in recv tun0
> 
> Regards
>         Paul
> 
> --
You need to filter the rfc1918 address that are in the source field
before you nat them.  Also, you can save yourself some time by moving
lo0 and 127.0.0.0/8 rules above the divert rule.  Try the following:

add allow     ip   from any to any via lo0
add deny log  ip   from 127.0.0.0/8 to 127.0.0.0/8

add deny log  all  from any to 192.168.0.0:255.255.0.0 in recv tun0
add deny log  all  from any to 172.16.0.0:255.240.0.0 in recv tun0
add deny log  all  from any to 10.0.0.0:255.0.0.0 in recv tun0

add divert natd ip from any to any via tun0

add allow     ip   from any to any via de0
add deny log  all  from 192.168.0.0:255.255.0.0 to any in recv tun0
add deny log  all  from 192.168.0.0:255.255.0.0 to any in recv tun0
add deny log  all  from 172.16.0.0:255.240.0.0 to any in recv tun0
add deny log  all  from 10.0.0.0:255.0.0.0 to any in recv tun0


Kim Shrier
kim@tinker.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35E1A831.D12B41A7>