Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Oct 1998 11:00:00 +1300
From:      "Dan Langille" <junkmale@xtra.co.nz>
To:        "Eric J. Schwertfeger" <ejs@bfd.com>, freebsd-security@FreeBSD.ORG
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: default rules in rc.firewall cause problem
Message-ID:  <199810222159.KAA04958@witch.xtra.co.nz>
In-Reply-To: <Pine.BSF.4.05.9810221359580.8461-100000@harlie.bfd.com>
References:  <199810222056.JAA23805@witch.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 22 Oct 98, at 14:06, Eric J. Schwertfeger wrote:

> On Fri, 23 Oct 1998, Dan Langille wrote:
> 
> > Hmmm, could your explanation be the cause of I'm seeing here?  And would
> > the modification to the rule make sense?
> 
> Yes.
> 
> > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out
> 
> As long as that comes before the natd divert, it will keep any packets
> resulting from the crack attempt from going back.  Most DOS attacks don't
> need to get their replies back, however.  It's better than nothing,
> though.

For what it's worth, I moved the modified rule to be above the divert.  It 
seems to work fine.  As it did before, but as you say, better than 
nothing.  Cheers.

> > It will deny all out going packets but allow incoming packets, which are
> > what natd is effectively doing.  If I read /etc/rc.firewall correctly,
> > there are other default rules higher up in the list which will prevent
> > incoming packets pretending to be from 192.168.0.0/24.  For example:
> 
> The problem is, under -stable, when a packet going back into a
> masqueraded connection goes into natd, it comes back out starting all over
> at the first rule, and the firewall rules have no way of knowing that the
> packet didn't really come from the outside world.

This may be enough to push us onto -current.  Will the fix be included 
with 2.2.8?

Thanks.  Your help has been appreciated.

--
Dan Langille
DVL Software Limited
The FreeBSD Diary - my [mis]adventures
http://www.FreeBSDDiary.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810222159.KAA04958>