Date: Thu, 5 Feb 2004 13:45:55 -0600
From: John <john@starfire.mn.org>
To: freebsd-net@freebsd.org
Subject: IPFW and NAT - blocking RFC 1918 ("unregistered") network that matches my own
Message-ID: <20040205134555.A28070@starfire.mn.org>
next in thread | raw e-mail | index | archive | help
I am up and running with ipfw 2 and natd, but not all is quite well.
I can't figure out how to block "spoofed" packets from the outside
that use the same RFC 1918 network as the one I'm translating to.
When I try to put that rule on the exterior interface, it ends up
blocking the packets after they are translated.
Specifically, the network I am using falls in the 192.168.0.0/16 range.
(I won't publish exactly which one: you only have 254 to try...)
If, however, I put in
${fwcmd} add deny ip from any to 192.168.0.0/16 via ${oif}
then I cut off my interior network entirely, due, presumably, to
the pass through the rules after translation.
I suspect that I need some combination of "in" or "recv," but I
would like to actually UNDERSTAND what I'm doing instead of just
trying combinations 'til it works. On the other hand, there are
sysctl kernel parameters that might affect this behavior, or maybe
other natd parameters - so maybe that's not even the ticket.
Another thing I would like to understand better is how to make a
wise choice as to where the divert rule should be.
Can someone point me to a resource? I spent an hour at Barnes & Nobel
last night looking through various firewalling books that were long
on theory, or even examples, but not examples for an ipfw / natd
situation.
Thanks!
--
John Lind
john@starfire.MN.ORG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040205134555.A28070>