Date: 10 Apr 2001 11:08:34 -0400 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-questions@freebsd.org Subject: Re: How to specify external network for firewall/NAT when IP is dynamically assigned Message-ID: <44k84skd1p.fsf@lowellg.ne.mediaone.net> In-Reply-To: todd@doonga.net's message of "10 Apr 2001 04:31:33 %2B0200" References: <15058.28495.979447.568693@guru.mired.org> <KJEPKOABHFNPCHDCFDKGMEMMCEAA.todd@doonga.net>
next in thread | previous in thread | raw e-mail | index | archive | help
todd@doonga.net (Todd Punderson) writes:
> Ok, dumb question. If I have 2 NICs, does "me" know to use the dynamic
> address? I have my private range, and my DHCP'ed IP from the cable co.
It doesn't, per se. It actually uses *all* of that machine's
addresses. It will do separate checks against the DHCP-assigned
address, and against whatever address that machine is using in the
private range on the inside interface. Assuming that the "me" rules
come *after* rules that reject your private addresses from being used
on the outside interface (which should be the case in the default
configuration if your private addresses come from RFC 1918, like
10.x), this is effectively the same, for the outside interface, as
having the actual DHCP-assigned address in place of the "me".
[That paragraph is a little involved. If it doesn't make sense after
a few readings, feel free to ask for more explanation.]
I think it was Mike Meyer who wrote:
> > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for
> > specifying addresses, and you can use this to refer to your address
> > without needing to rebuild those rules if that address changes.
> > However, as I said earlier, this is of somewhat limited usefulness if
> > you've only got one address anyway.
>
> "me" doesn't really help in this case. It matches the ip addresses for
> the system, not the network address range that's being used here.
That's true, but I think the address range is actually a single
address anyway, so it ends up being the same thing, as long as source
addresses from the wrong interface (i.e., spoofs) are covered before
the rule using "me".
I suspect that the phrase "this case" was referring to detecting and
blocking spoofs by checking and refusing packets with source addresses
coming from the "wrong" interface. If that is so, then I agree fully,
but there are some *other* cases *besides* spoofing where "me" can be
a little bit useful.
> Another recent addition is "not". If all traffic coming from inside
> should be from ${inet}:${imask}, you can do the spoof block using not
> and your internal network address like so:
>
> ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif}
That's checking for spoofs from the inside network. That should
definitely be done before any rules that could possibly involve the
"me" keyword.
> This is a bit broader block than the one in rc.firewall, and it may
> not be appropriate in all cases. If you're managing a network large
> enough for it not to be appropriate - well, you probbly wouldn't be
> asking the questions you're asking.
Nicely put. I think it's a shame that we can't seem to put together
firewall rules that really be used as-is (for strong firewalling) by
substantial numbers of people, but I've tried my hand at fixing up the
default script for that purpose, and found that it's very hard to do
without adding so many new configuration knobs that people might as
well write their own scripts. It's always been the case that network
security involved knowing what services you were running and tailoring
your security policy to them, and I don't see any easy way to "fix"
that situation.
- Lowell Gilbert
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44k84skd1p.fsf>