From owner-freebsd-security Thu Jan 23 7:20:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E2B337B401 for ; Thu, 23 Jan 2003 07:20:30 -0800 (PST) Received: from digitalme.com (imap.digitalme.com [193.97.97.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 040A243ED8 for ; Thu, 23 Jan 2003 07:20:30 -0800 (PST) (envelope-from dkt@digitalme.com) Received: from dkt [61.18.141.210] by digitalme.com with NIMS ModWeb Module; Thu, 23 Jan 2003 23:20:29 +0800 Subject: Egress filtering From: Dung Patrick To: freebsd-security@FreeBSD.ORG, Date: Thu, 23 Jan 2003 23:20:29 +0800 X-Mailer: NIMS ModWeb Module X-Sender: dkt MIME-Version: 1.0 Message-ID: <1043335229.ca145a00dkt@digitalme.com> Content-Type: text/plain; charset="BIG5" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, For the egress filtering, I would only allow my firewall to send out packet= only with the public IP of the firewall address. Not only dropping outgo= ing source address with RFC1918 address. I have a rule like this in ipfilter: block out log on dc0 from !fw_public_IP to any But I see this in my log: 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) The ipfilter has drop/log packet before NAT. If it is after NAT, my source = address will be fw_public_IP and the above block rule will be skipped. Any suggestion? Regards, Patrick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message