Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jul 2000 11:35:41 +0200
From:      Shaun Jurrens <shamz@freenix.no>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Problems with natd and simple firewall
Message-ID:  <20000725113541.A17445@asimov.freenix.no>
next in thread | raw e-mail | index | archive | help 
Hi Guys,

I see (sorry, just via the website) that you have run upon the same problem as I
did, when I started using natd and ipfw with rules.  There was a suggested fix
back in May on -net, iirc and perhaps a PR, but no one seems to have committed
the fix (??).  In any case, since the divert routines re-inject the packets in
to the firewall, you will kill your own nat'd packets.  One could probably fix
this, but the suggested fix in May worked for me.  One really just needed to
search the lists (and bite your teeth at the dodgy results, please fix that
script).  I will paste my workaround.  I acutally have a setup that almost
anyone could use, with state functions, etc.  I almost thought about submitting
it.  Anyway, just add a small direction tag to the rules to stop the undesired
behaviour.

# These are supposed to stop traffic from supposed RFC1918 nets

$fwcmd add 2200 deny all from 192.168.0.0:255.255.0.0 to any in via ${exif}
$fwcmd add 2300 deny all from any to 192.168.0.0:255.255.0.0 out via ${exif}
$fwcmd add 2400 deny all from 172.16.0.0:255.240.0.0 to any in via ${exif}
$fwcmd add 2500 deny all from any to 172.16.0.0:255.240.0.0 out via ${exif}
$fwcmd add 2600 deny all from 10.0.0.0:255.0.0.0 to any in via ${exif}
$fwcmd add 2700 deny all from any to 10.0.0.0:255.0.0.0 out via ${exif}

(You'll notice the addition of "in" and "out" to the rules.  rc.firewall as is
is not even usable with natd.  It should be fixed/patched.  I suggest using
these for now)

-- 

Yours truly,

Shaun D. Jurrens
shaun@shamz.net

0860 Oslo	
Norway


ircnet nick: shamz #chillout #unix #freebsd


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000725113541.A17445>