From owner-freebsd-security  Sun Oct  3 12:51:33 1999
Delivered-To: freebsd-security@freebsd.org
Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123])
	by hub.freebsd.org (Postfix) with ESMTP id BBA9814A21
	for <freebsd-security@FreeBSD.ORG>; Sun,  3 Oct 1999 12:51:23 -0700 (PDT)
	(envelope-from jan@caustic.org)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.9.3/ignatz) with ESMTP id MAA75431;
	Sun, 3 Oct 1999 12:51:34 -0700 (PDT)
Date: Sun, 3 Oct 1999 12:51:34 -0700 (PDT)
From: "f.johan.beisser" <jan@caustic.org>
To: Dmitriy Bokiy <ratebor@cityline.ru>
Cc: FreeBSD Security ML <freebsd-security@FreeBSD.ORG>
Subject: Re: natd -deny_incoming
In-Reply-To: <18882.991003@cityline.ru>
Message-ID: <Pine.BSF.4.05.9910031234160.41067-100000@pogo.caustic.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 3 Oct 1999, Dmitriy Bokiy wrote:

> Just to be completely sure. Is it correct that if I don`t run natd
> with "-deny_incoming" option turned on it`s going to accept external
> connections to RFC addresses which at the moment have an entry in NATd`s
> internal translation table?

no, it shouldn't. because of how TCP/IP works, even if the request is on
a port that is open (natd will drop it anyway) the daemon holding the port
open will renegotiate it anyway. natd can do port forwarding though, and
map certain ports over to other machines in the internal network.

natd also dosen't care about the RFC networks. it plays dumb, and just
listens to its designated interface.
 
> If that`s so is there some ground under it or is it just a "feature"?
> In other words: why do we need this option at all if "deny incoming to
> RFCs" could be default behavior?

well, the problem with dening the unroutable networks (RFC 1918,
192.168.0.0, 10.0.0.0, 172.16.0.0) from natd is that some folks (in my
lab, included) will want to have an unrouteable network inside of an 
unroutable.
 
> Or do I miss anything?

no, i don't think so.

if you're really worried about spoofing coming through, i'd suggest using
IPFW or IPFILTER to stop the spoofing. it's just two lines in the IPFW to
stop it.

-- jan



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message