Date: Mon, 24 Aug 1998 13:54:03 +0200 From: Paul van der Zwan <paulz@trantor.stuyts.nl> To: "laurens van alphen" <alphen@craxx.com> Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together Message-ID: <199808241154.NAA16992@trantor.stuyts.nl> In-Reply-To: Your message of "Thu, 20 Aug 1998 13:56:31 %2B0200."
next in thread | raw e-mail | index | archive | help
> hi all, > > this is my setup > external net: 130.89/16 (ed0) > internal net: 192.168.0/24 (ed1) > running natd and ipfw on the router > > rc.firewall contains: > $fwcmd add divert natd all from any to any via ${natd_interface} > where natd _interface is ed0 > > next the default rc.firewall contained these rules: > > $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} > > when i apply those, natd clients (on the internal network) can no longer > talk to the outside world. they can however talk to ${oip} and ${iip}. > > any clues? it seems to me natd should translate the packets coming from the > internal network before the 192.168/16 rule sees 'em. right? > I haven't seen any useful followup. But apparently the translated packets are sent thru all filter rules after translation. Does anybody know a way to use rfc1918 addresses internally and still deny them when coming from outside. I am using the same kind of setup here and i have to allow all addresses I use on the inside as destination adresses. It would be nice if the rules could recognize packets that had been 'fixed' by natd. Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808241154.NAA16992>