Date: Mon, 24 Aug 1998 17:08:49 +0200 From: Paul van der Zwan <paulz@trantor.stuyts.nl> To: Neil Blakey-Milner <nbm@rucus.ru.ac.za> Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together Message-ID: <199808241508.RAA04739@trantor.stuyts.nl> In-Reply-To: Your message of "Mon, 24 Aug 1998 14:50:09 %2B0200." <19980824145009.A25487@rucus.ru.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon 1998-08-24 (13:54), Paul van der Zwan wrote:
> > I haven't seen any useful followup. But apparently the translated packets
> > are sent thru all filter rules after translation. Does anybody know a
> > way to use rfc1918 addresses internally and still deny them when coming
> > from outside.
>
> I'm not sure if this helps, but ipfw has a "skip" ability, which allows you
> to make a specified rule skip to a higher rule, bypassing intermediate rules.
>
> > I am using the same kind of setup here and i have to allow all addresses I use
> > on the inside as destination adresses.
> > It would be nice if the rules could recognize packets that had been 'fixed'
> > by natd.
>
> You might want to check on ipfw rules with "ACK" or "RST" (ipfw rule
> "established"), and "SYN" (ipfw rule setup), which should be adjusted by
> natd, but I'd make sure to deny all rfc1918 on the external interface first,
> and even then I'm not sure if this can't be bypassed by a craftily spoofed
> packet.
>
That is the problem , if I deny rfc1918 addresses I also deny packets
translated by natd. There is AFIAK no way to recognized these
,legitimate rfc1918 addressed, packets from those coming in on the same
interface containing an rfc1918 from the start.
> I'm not sure if this helps, but maybe you can use "xmit ${natd_interface}"
> instead of "via ${natd_interface}" in your rule. Also, being more specific
> in your rules might be useful too. (replace those any to any's with more
> specific values)
>
> Also, you might want to debug things by using the "log" option to ipfw. For
> your natd stuff, try a "from not natd_network to natd_network in recv ${oif}"
> and a "from natd_network to not natd_network out recv ${natd_interface} xmit
> ${oif}".
>
> I'm not terribly sure about this, not able to test this right now, just
> throwing some ideas around.
>
This is the relevant part of my rules at the moment.
My laptop is using 192.168.200.95 and is I browse from that thing, the return
packets bounce against the commented line , which must be there to deny
rfc1918 packets coming in fromthe internet.
add divert natd ip from any to any via tun0
add allow ip from any to any via lo0
add allow ip from any to any via de0
add deny log ip from 127.0.0.0/8 to 127.0.0.0/8
add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0
#add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0
add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0
add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0
add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0
add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0
Regards
Paul
--
Paul van der Zwan paulz @ trantor.stuyts.nl
"I think I'll move to theory, everything works in theory..."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808241508.RAA04739>