Date: Thu, 22 Oct 1998 14:06:22 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem Message-ID: <Pine.BSF.4.05.9810221359580.8461-100000@harlie.bfd.com> In-Reply-To: <199810222056.JAA23805@witch.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Oct 1998, Dan Langille wrote:
> Hmmm, could your explanation be the cause of I'm seeing here? And would
> the modification to the rule make sense?
Yes.
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out
As long as that comes before the natd divert, it will keep any packets
resulting from the crack attempt from going back. Most DOS attacks don't
need to get their replies back, however. It's better than nothing,
though.
> It will deny all out going packets but allow incoming packets, which are what natd is effectively doing. If
> I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent
> incoming packets pretending to be from 192.168.0.0/24. For example:
The problem is, under -stable, when a packet going back into a
masqueraded connection goes into natd, it comes back out starting all over
at the first rule, and the firewall rules have no way of knowing that the
packet didn't really come from the outside world.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9810221359580.8461-100000>