From owner-freebsd-security Tue Jul 25 2:35:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from asimov.freenix.no (asimov.freenix.no [195.139.70.52]) by hub.freebsd.org (Postfix) with ESMTP id C3D5337BD5C for ; Tue, 25 Jul 2000 02:35:45 -0700 (PDT) (envelope-from shamz@asimov.freenix.no) Received: (from shamz@localhost) by asimov.freenix.no (8.9.3/8.9.3) id LAA17464 for freebsd-security@FreeBSD.ORG; Tue, 25 Jul 2000 11:35:42 +0200 (CEST) Date: Tue, 25 Jul 2000 11:35:41 +0200 From: Shaun Jurrens To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725113541.A17445@asimov.freenix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Guys, I see (sorry, just via the website) that you have run upon the same problem as I did, when I started using natd and ipfw with rules. There was a suggested fix back in May on -net, iirc and perhaps a PR, but no one seems to have committed the fix (??). In any case, since the divert routines re-inject the packets in to the firewall, you will kill your own nat'd packets. One could probably fix this, but the suggested fix in May worked for me. One really just needed to search the lists (and bite your teeth at the dodgy results, please fix that script). I will paste my workaround. I acutally have a setup that almost anyone could use, with state functions, etc. I almost thought about submitting it. Anyway, just add a small direction tag to the rules to stop the undesired behaviour. # These are supposed to stop traffic from supposed RFC1918 nets $fwcmd add 2200 deny all from 192.168.0.0:255.255.0.0 to any in via ${exif} $fwcmd add 2300 deny all from any to 192.168.0.0:255.255.0.0 out via ${exif} $fwcmd add 2400 deny all from 172.16.0.0:255.240.0.0 to any in via ${exif} $fwcmd add 2500 deny all from any to 172.16.0.0:255.240.0.0 out via ${exif} $fwcmd add 2600 deny all from 10.0.0.0:255.0.0.0 to any in via ${exif} $fwcmd add 2700 deny all from any to 10.0.0.0:255.0.0.0 out via ${exif} (You'll notice the addition of "in" and "out" to the rules. rc.firewall as is is not even usable with natd. It should be fixed/patched. I suggest using these for now) -- Yours truly, Shaun D. Jurrens shaun@shamz.net 0860 Oslo Norway ircnet nick: shamz #chillout #unix #freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message