Date: Sun, 12 Apr 1998 14:33:55 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: freebsd-bugs@hub.freebsd.org Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection Message-ID: <19980412143355.01888@ucb.crimea.ua> In-Reply-To: <199804121050.DAA18249@hub.freebsd.org>; from Poul-Henning Kamp on Sun, Apr 12, 1998 at 03:50:02AM -0700 References: <199804121050.DAA18249@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 12, 1998 at 03:50:02AM -0700, Poul-Henning Kamp wrote:
> The following reply was made to PR conf/6278; it has been noted by GNATS.
>
> From: Poul-Henning Kamp <phk@critter.freebsd.dk>
> To: ru@ucb.crimea.ua
> Cc: FreeBSD-gnats-submit@FreeBSD.ORG
> Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection
> Date: Sun, 12 Apr 1998 12:41:07 +0200
>
> >>Description:
> >
> > There is only one half of protection of
> > RFC1918 nets usage on outside interface.
>
> I think it is cheaper to add this protection with some discard routes,
> ie:
>
> route add -net 10.0.0.0 -netmask 255.0.0.0 -reject
> route add -net 172.16.0.0 -netmask 255.240.0.0 -reject
> route add -net 192.168.0.0 -netmask 255.255.0.0 -reject
> route add -net 127.0.0.0 -netmask 255.0.0.0 -reject
>
> (or use -blackhole if you prefer)
>
I don't think so.
Here is the situation where your method won't work:
+--------------+
| |
+--------+ +---*----+ +---*----+ +--------+
|Internet|---|Router A| |Router B|---|Intranet|
+--------+ +--------+ +--------+ +--------+
- Routers A and B has real IPs;
- Router B also has one or more intranet (RFC1918) IPs;
- Firewall is configured on Router A to protect a whole network;
- Router A should be capable to connect to intranet hosts.
I have this scheme in my own network: router A has default route
to the Internet and a route to the 192.168.0.0/16 network with
next-hop Router B.
If I add the routes you suggest, Router A will be unable to send
packets to the intranet IPs at all.
My patch stops RFC1918 nets on the outside interface(s) *ONLY*!!!
Firewall won't pass packets to/from intranet IPs if they come
from/to Internet only. The machine running firewall will be able to
contact RFC1918 nets on the other (non-Internet) interfaces.
One more thing: with firewall I can log the attempts to access my
intranet networks. Your method won't give this benefit, agree?
Regards,
--
Ruslan Ermilov System Administrator
ru@ucb.crimea.ua United Commercial Bank
+380-652-247647 Simferopol, Crimea
2426679 ICQ Network, UIN
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980412143355.01888>