Date: Sun, 12 Apr 1998 13:59:00 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Ruslan Ermilov <ru@ucb.crimea.ua> Cc: freebsd-bugs@hub.freebsd.org Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection Message-ID: <16224.892382340@critter.freebsd.dk> In-Reply-To: Your message of "Sun, 12 Apr 1998 14:33:55 %2B0300." <19980412143355.01888@ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
>> > There is only one half of protection of >> > RFC1918 nets usage on outside interface. >> >> I think it is cheaper to add this protection with some discard routes, >> ie: >> >> route add -net 10.0.0.0 -netmask 255.0.0.0 -reject >> route add -net 172.16.0.0 -netmask 255.240.0.0 -reject >> route add -net 192.168.0.0 -netmask 255.255.0.0 -reject >> route add -net 127.0.0.0 -netmask 255.0.0.0 -reject >> >> (or use -blackhole if you prefer) >> > >I don't think so. >Here is the situation where your method won't work: > > +--------------+ > | | >+--------+ +---*----+ +---*----+ +--------+ >|Internet|---|Router A| |Router B|---|Intranet| >+--------+ +--------+ +--------+ +--------+ > >- Routers A and B has real IPs; >- Router B also has one or more intranet (RFC1918) IPs; >- Firewall is configured on Router A to protect a whole network; >- Router A should be capable to connect to intranet hosts. > >I have this scheme in my own network: router A has default route >to the Internet and a route to the 192.168.0.0/16 network with >next-hop Router B. In such case you need the deliberate deny rules, but most people do not provide addess to their border gateway from their RFC1918 networks. >One more thing: with firewall I can log the attempts to access my >intranet networks. Your method won't give this benefit, agree? Agree, it all depends what you're trying to do. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "Drink MONO-tonic, it goes down but it will NEVER come back up!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16224.892382340>