Date: Mon, 24 Aug 1998 13:54:03 +0200 From: Paul van der Zwan <paulz@trantor.stuyts.nl> To: "laurens van alphen" <alphen@craxx.com> Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together Message-ID: <199808241154.NAA16992@trantor.stuyts.nl> In-Reply-To: Your message of "Thu, 20 Aug 1998 13:56:31 %2B0200."
next in thread | raw e-mail | index | archive | help
> hi all,
>
> this is my setup
> external net: 130.89/16 (ed0)
> internal net: 192.168.0/24 (ed1)
> running natd and ipfw on the router
>
> rc.firewall contains:
> $fwcmd add divert natd all from any to any via ${natd_interface}
> where natd _interface is ed0
>
> next the default rc.firewall contained these rules:
>
> $fwcmd add deny all from 192.168.0.0/16 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0/16 via ${oif}
>
> when i apply those, natd clients (on the internal network) can no longer
> talk to the outside world. they can however talk to ${oip} and ${iip}.
>
> any clues? it seems to me natd should translate the packets coming from the
> internal network before the 192.168/16 rule sees 'em. right?
>
I haven't seen any useful followup. But apparently the translated packets
are sent thru all filter rules after translation. Does anybody know a
way to use rfc1918 addresses internally and still deny them when coming
from outside.
I am using the same kind of setup here and i have to allow all addresses I use
on the inside as destination adresses.
It would be nice if the rules could recognize packets that had been 'fixed'
by natd.
Paul
--
Paul van der Zwan paulz @ trantor.stuyts.nl
"I think I'll move to theory, everything works in theory..."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808241154.NAA16992>