From owner-freebsd-security Thu Jan 23 18:24:17 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6CC637B48C for ; Thu, 23 Jan 2003 18:24:09 -0800 (PST) Received: from digitalme.com (imap.digitalme.com [193.97.97.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3051F43F13 for ; Thu, 23 Jan 2003 18:24:09 -0800 (PST) (envelope-from dkt@digitalme.com) Received: from dkt [210.0.207.154] by digitalme.com with NIMS ModWeb Module; Fri, 24 Jan 2003 10:23:56 +0800 Subject: Re: Re: Egress filtering From: Dung Patrick To: fgleiser@cactus.fi.uba.ar, Cc: freebsd-security@FreeBSD.ORG, Date: Fri, 24 Jan 2003 10:23:56 +0800 X-Mailer: NIMS ModWeb Module X-Sender: dkt MIME-Version: 1.0 Message-ID: <1043375036.a20e0240dkt@digitalme.com> Content-Type: text/plain; charset="BIG5" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, It seems that I get a quick fix with the help of ipfw. I add this rule to ipfw: ipfw add deny ip from not a.b.c.d to any out xmit xl0 where a.b.c.d is my fw public IP and xl0 is the public interface Regards, Patrick -----Original Message----- From: Fernando Gleiser To: Dung Patrick Date: Thu, 23 Jan 2003 15:39:04 -0300 (ART) Subject: Re: Egress filtering On Thu, 23 Jan 2003, Dung Patrick wrote: > Hello, > > For the egress filtering, I would only allow my firewall to send out > packet only with the public IP of the firewall address. Not only dropping > outgoing source address with RFC1918 address. > > I have a rule like this in ipfilter: > > block out log on dc0 from !fw_public_IP to any > > But I see this in my log: > 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) > The ipfilter has drop/log packet before NAT. If it is after NAT, my sourc= e > address will be fw_public_IP and the above block rule will be skipped. Ipfilter always sees the real IP. That is it does filtering before NAT for outgoing packets and NAT before filtering for incoming ones. =09=09=09Fer > > Any suggestion? > > Regards, > Patrick > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message