Date: Sun, 12 Apr 1998 14:33:55 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: freebsd-bugs@hub.freebsd.org Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection Message-ID: <19980412143355.01888@ucb.crimea.ua> In-Reply-To: <199804121050.DAA18249@hub.freebsd.org>; from Poul-Henning Kamp on Sun, Apr 12, 1998 at 03:50:02AM -0700 References: <199804121050.DAA18249@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 12, 1998 at 03:50:02AM -0700, Poul-Henning Kamp wrote: > The following reply was made to PR conf/6278; it has been noted by GNATS. > > From: Poul-Henning Kamp <phk@critter.freebsd.dk> > To: ru@ucb.crimea.ua > Cc: FreeBSD-gnats-submit@FreeBSD.ORG > Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection > Date: Sun, 12 Apr 1998 12:41:07 +0200 > > >>Description: > > > > There is only one half of protection of > > RFC1918 nets usage on outside interface. > > I think it is cheaper to add this protection with some discard routes, > ie: > > route add -net 10.0.0.0 -netmask 255.0.0.0 -reject > route add -net 172.16.0.0 -netmask 255.240.0.0 -reject > route add -net 192.168.0.0 -netmask 255.255.0.0 -reject > route add -net 127.0.0.0 -netmask 255.0.0.0 -reject > > (or use -blackhole if you prefer) > I don't think so. Here is the situation where your method won't work: +--------------+ | | +--------+ +---*----+ +---*----+ +--------+ |Internet|---|Router A| |Router B|---|Intranet| +--------+ +--------+ +--------+ +--------+ - Routers A and B has real IPs; - Router B also has one or more intranet (RFC1918) IPs; - Firewall is configured on Router A to protect a whole network; - Router A should be capable to connect to intranet hosts. I have this scheme in my own network: router A has default route to the Internet and a route to the 192.168.0.0/16 network with next-hop Router B. If I add the routes you suggest, Router A will be unable to send packets to the intranet IPs at all. My patch stops RFC1918 nets on the outside interface(s) *ONLY*!!! Firewall won't pass packets to/from intranet IPs if they come from/to Internet only. The machine running firewall will be able to contact RFC1918 nets on the other (non-Internet) interfaces. One more thing: with firewall I can log the attempts to access my intranet networks. Your method won't give this benefit, agree? Regards, -- Ruslan Ermilov System Administrator ru@ucb.crimea.ua United Commercial Bank +380-652-247647 Simferopol, Crimea 2426679 ICQ Network, UIN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980412143355.01888>