From owner-freebsd-security  Thu Oct 22 16:08:13 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA18432
          for freebsd-security-outgoing; Thu, 22 Oct 1998 16:08:13 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18382
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 16:08:05 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with SMTP id MAA20673;
	Fri, 23 Oct 1998 12:06:39 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 23 Oct 1998 12:06:39 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Dan Langille <junkmale@xtra.co.nz>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: default rules in rc.firewall cause problem
In-Reply-To: <199810221629.FAA27065@cyclops.xtra.co.nz>
Message-ID: <Pine.BSF.4.01.9810231204020.2888-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 23 Oct 1998, Dan Langille wrote:

> I've been setting up a firewall using the open model supplied in 
> /etc/rc.firewall as the basis of our security.  I've found that one of the 
> rules, designed to "# Stop RFC1918 nets on the outside interface" does not 
> seem to be very useful, at least in my situation.  The rule in question is:
> 
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> 
> The subnet is within the 192.168.*.* range.  ed1 is the subnet, and ed0 is 
> the ISP.  In order for any traffic to get outside, I need to modify the 
> above rule to:
> 
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out

Are you using natd or iijppp's address translation?  The ppp translation
seems to happen after the packets have been through the firewall.  In any
case, if you are using ppp's translation the RFC1918 rules are not needed
or useful.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message