From owner-freebsd-security Sat Jan 25 13:17:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 306A737B401 for ; Sat, 25 Jan 2003 13:17:14 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C015343F1E for ; Sat, 25 Jan 2003 13:17:11 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 16608 invoked by uid 0); 25 Jan 2003 21:17:10 -0000 Received: from p509102B9.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.2.185) by mail.gmx.net (mp012-rz3) with SMTP; 25 Jan 2003 21:17:10 -0000 Received: (qmail 67991 invoked from network); 25 Jan 2003 19:46:51 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 25 Jan 2003 19:46:51 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id h0PJkj367976 for freebsd-security@FreeBSD.ORG; Sat, 25 Jan 2003 20:46:45 +0100 (CET) (envelope-from sittig) Date: Sat, 25 Jan 2003 20:46:45 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Egress filtering Message-ID: <20030125204645.Y4807@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <1043335229.ca145a00dkt@digitalme.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1043335229.ca145a00dkt@digitalme.com>; from dkt@digitalme.com on Thu, Jan 23, 2003 at 11:20:29PM +0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 23, 2003 at 23:20 +0800, Dung Patrick wrote: > > For the egress filtering, I would only allow my firewall to send out packet only with the public IP of the firewall address. Not only dropping outgoing source address with RFC1918 address. > > I have a rule like this in ipfilter: > > block out log on dc0 from !fw_public_IP to any > > But I see this in my log: > 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) > The ipfilter has drop/log packet before NAT. If it is after NAT, my source address will be fw_public_IP and the above block rule will be skipped. You didn't say what other rules are there. Since you don't have the "quick" keyword in the above rule the "block" action is just an assumption which could be "corrected" by later rules the packet gets passed to. I.e. this is not a final decision. Since you specified so in your rule set. :) Make sure you have read the excellent ipfilter HowTo, available on the homepage. And make use of the offline test program which tells you what it _would_ do to a certain packet when being fed with a certain rule set (see `man ipftest`). You can even feed this tool with pcap files or tcpdump(1) text output to kind of replay what you have met in real life. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message