Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Apr 1998 13:59:00 +0200
From:      Poul-Henning Kamp <phk@critter.freebsd.dk>
To:        Ruslan Ermilov <ru@ucb.crimea.ua>
Cc:        freebsd-bugs@hub.freebsd.org
Subject:   Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection 
Message-ID:  <16224.892382340@critter.freebsd.dk>
In-Reply-To: Your message of "Sun, 12 Apr 1998 14:33:55 %2B0300." <19980412143355.01888@ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>  >	There is only one half of protection of
>>  >	RFC1918 nets usage on outside interface.
>>  
>>  I think it is cheaper to add this protection with some discard routes,
>>  ie:
>>  
>>  	route add -net 10.0.0.0 -netmask 255.0.0.0 -reject
>>  	route add -net 172.16.0.0 -netmask 255.240.0.0 -reject
>>  	route add -net 192.168.0.0 -netmask 255.255.0.0 -reject
>>  	route add -net 127.0.0.0 -netmask 255.0.0.0 -reject
>>  
>>  (or use -blackhole if you prefer)
>>  
>
>I don't think so.
>Here is the situation where your method won't work:
>
>                 +--------------+
>                 |              |
>+--------+   +---*----+     +---*----+   +--------+
>|Internet|---|Router A|     |Router B|---|Intranet|
>+--------+   +--------+     +--------+   +--------+
>
>- Routers A and B has real IPs;
>- Router B also has one or more intranet (RFC1918) IPs;
>- Firewall is configured on Router A to protect a whole network;
>- Router A should be capable to connect to intranet hosts.
>
>I have this scheme in my own network: router A has default route
>to the Internet and a route to the 192.168.0.0/16 network with
>next-hop Router B.

In such case you need the deliberate deny rules, but most people 
do not provide addess to their border gateway from their RFC1918
networks.

>One more thing: with firewall I can log the attempts to access my
>intranet networks. Your method won't give this benefit, agree?

Agree, it all depends what you're trying to do.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"Drink MONO-tonic, it goes down but it will NEVER come back up!"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16224.892382340>