From owner-freebsd-bugs  Sun Apr 12 04:36:18 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA25093
          for freebsd-bugs-outgoing; Sun, 12 Apr 1998 04:36:18 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA24584
          for <freebsd-bugs@hub.freebsd.org>; Sun, 12 Apr 1998 04:34:27 -0700 (PDT)
          (envelope-from ru@ucb.crimea.ua)
Received: (from ru@localhost)
	by relay.ucb.crimea.ua (8.8.8/8.8.8) id OAA27146;
	Sun, 12 Apr 1998 14:33:55 +0300 (EEST)
	(envelope-from ru)
Message-ID: <19980412143355.01888@ucb.crimea.ua>
Date: Sun, 12 Apr 1998 14:33:55 +0300
From: Ruslan Ermilov <ru@ucb.crimea.ua>
To: freebsd-bugs@hub.freebsd.org
Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection
Mail-Followup-To: freebsd-bugs@hub.freebsd.org
References: <199804121050.DAA18249@hub.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <199804121050.DAA18249@hub.freebsd.org>; from Poul-Henning Kamp on Sun, Apr 12, 1998 at 03:50:02AM -0700
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Apr 12, 1998 at 03:50:02AM -0700, Poul-Henning Kamp wrote:
> The following reply was made to PR conf/6278; it has been noted by GNATS.
> 
> From: Poul-Henning Kamp <phk@critter.freebsd.dk>
> To: ru@ucb.crimea.ua
> Cc: FreeBSD-gnats-submit@FreeBSD.ORG
> Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection 
> Date: Sun, 12 Apr 1998 12:41:07 +0200
> 
>  >>Description:
>  >
>  >	There is only one half of protection of
>  >	RFC1918 nets usage on outside interface.
>  
>  I think it is cheaper to add this protection with some discard routes,
>  ie:
>  
>  	route add -net 10.0.0.0 -netmask 255.0.0.0 -reject
>  	route add -net 172.16.0.0 -netmask 255.240.0.0 -reject
>  	route add -net 192.168.0.0 -netmask 255.255.0.0 -reject
>  	route add -net 127.0.0.0 -netmask 255.0.0.0 -reject
>  
>  (or use -blackhole if you prefer)
>  

I don't think so.
Here is the situation where your method won't work:

                 +--------------+
                 |              |
+--------+   +---*----+     +---*----+   +--------+
|Internet|---|Router A|     |Router B|---|Intranet|
+--------+   +--------+     +--------+   +--------+

- Routers A and B has real IPs;
- Router B also has one or more intranet (RFC1918) IPs;
- Firewall is configured on Router A to protect a whole network;
- Router A should be capable to connect to intranet hosts.

I have this scheme in my own network: router A has default route
to the Internet and a route to the 192.168.0.0/16 network with
next-hop Router B.

If I add the routes you suggest, Router A will be unable to send
packets to the intranet IPs at all.

My patch stops RFC1918 nets on the outside interface(s) *ONLY*!!!
Firewall won't pass packets to/from intranet IPs if they come
from/to Internet only. The machine running firewall will be able to
contact RFC1918 nets on the other (non-Internet) interfaces.

One more thing: with firewall I can log the attempts to access my
intranet networks. Your method won't give this benefit, agree?

Regards,
-- 
Ruslan Ermilov          System Administrator
ru@ucb.crimea.ua        United Commercial Bank
+380-652-247647         Simferopol, Crimea
2426679                 ICQ Network, UIN

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message