From owner-freebsd-security  Thu Oct 22 14:07:15 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA01074
          for freebsd-security-outgoing; Thu, 22 Oct 1998 14:07:15 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from horst.bfd.com (horst.bfd.com [12.9.219.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01063
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 14:07:13 -0700 (PDT)
          (envelope-from ejs@bfd.com)
Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14])
	by horst.bfd.com (8.9.1/8.9.1) with ESMTP id OAA04810;
	Thu, 22 Oct 1998 14:06:22 -0700 (PDT)
	(envelope-from ejs@bfd.com)
Date: Thu, 22 Oct 1998 14:06:22 -0700 (PDT)
From: "Eric J. Schwertfeger" <ejs@bfd.com>
To: Dan Langille <junkmale@xtra.co.nz>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: default rules in rc.firewall cause problem
In-Reply-To: <199810222056.JAA23805@witch.xtra.co.nz>
Message-ID: <Pine.BSF.4.05.9810221359580.8461-100000@harlie.bfd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 23 Oct 1998, Dan Langille wrote:

> Hmmm, could your explanation be the cause of I'm seeing here?  And would 
> the modification to the rule make sense?

Yes.

> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out

As long as that comes before the natd divert, it will keep any packets
resulting from the crack attempt from going back.  Most DOS attacks don't
need to get their replies back, however.  It's better than nothing,
though.

> It will deny all out going packets but allow incoming packets, which are what natd is effectively doing.  If 
> I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent 
> incoming packets pretending to be from 192.168.0.0/24.  For example:

The problem is, under -stable, when a packet going back into a
masqueraded connection goes into natd, it comes back out starting all over
at the first rule, and the firewall rules have no way of knowing that the
packet didn't really come from the outside world.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message