From owner-freebsd-security  Fri Oct  2 03:33:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA00307
          for freebsd-security-outgoing; Fri, 2 Oct 1998 03:33:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (pppk-13.igrin.co.nz [202.49.245.92])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA00288;
          Fri, 2 Oct 1998 03:33:15 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with SMTP id WAA02083;
	Fri, 2 Oct 1998 22:30:33 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 2 Oct 1998 22:30:33 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: ark@eltex.ru
cc: agalindo@servidor.exsocom.com.mx, kim@tinker.com,
        freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG
Subject: Re: Firewall with 2 NIC and a NET class C
In-Reply-To: <199810020908.NAA21458@paranoid.eltex.spb.ru>
Message-ID: <Pine.BSF.4.01.9810022211530.321-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I'm still getting to grips with this stuff, so please correct me if I've
got it wrong.


On Fri, 2 Oct 1998 ark@eltex.ru wrote:

> Alejandro Galindo Chairez AGALINDO  <agalindo@servidor.exsocom.com.mx> said :
>  
> > > You have a couple of ways to approach this.  You could use network address
> > > translation and have private addresses for all your machines.  The "public"
> > > machines would have static mappings to real IP addresses that are aliased
> > > on the outside interface of the firewall.  You would also use ipfw rules to
> > > control the traffic.
> > 
> > ok i like the idea to have static mappings to real IP addrs. that are
> > aliased on the out interface, how can i do that?
> 
> It is definitely BAD idea. It breaks any reasonable security policy.

Care to elaborate?  What sort of security measure does this prevent or
weaken?


I imagine a setup where firewall has route entries directing the real IPs
of the servers to their addresses in the private address space, and those
machines have the real IPs mapped onto their loopback interface.

So long as the firewall has rules to prevent spoofed packets appearing to
come from the private address space, and otherwise blocks all but the
necessary traffic, it seems this should work.


Earlier discussion of splitting the class C network of real IPs seemed
wasteful.  Even if all the machines behind the firewall were to have real
IPs, why waste half of them on the connection from the outside router to
the firewall.  Those interfaces could use private IPs even if nothing else
did.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message