From owner-freebsd-security  Mon Aug 24 09:04:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA17638
          for freebsd-security-outgoing; Mon, 24 Aug 1998 09:04:57 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA17207
          for <security@FreeBSD.ORG>; Mon, 24 Aug 1998 09:03:32 -0700 (PDT)
          (envelope-from nbm@rucus.ru.ac.za)
Received: (qmail 12725 invoked by uid 1003); 24 Aug 1998 16:01:48 -0000
Message-ID: <19980824180148.A11376@rucus.ru.ac.za>
Date: Mon, 24 Aug 1998 18:01:48 +0200
From: Neil Blakey-Milner <nbm@rucus.ru.ac.za>
To: Paul van der Zwan <paulz@trantor.stuyts.nl>
Cc: security@FreeBSD.ORG
Subject: Re: natd and ipfw rules not working together
References: <19980824145009.A25487@rucus.ru.ac.za> <199808241508.RAA04739@trantor.stuyts.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199808241508.RAA04739@trantor.stuyts.nl>; from Paul van der Zwan on Mon, Aug 24, 1998 at 05:08:49PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon 1998-08-24 (17:08), Paul van der Zwan wrote:
> add divert natd ip from any to any via tun0
> add allow     ip   from any to any via lo0
> add allow     ip   from any to any via de0
> add deny log  ip   from 127.0.0.0/8 to 127.0.0.0/8
> add deny log  all  from 192.168.0.0:255.255.0.0 to any in recv tun0
> #add deny log  all  from any to 192.168.0.0:255.255.0.0 in recv tun0
> add deny log  all  from 172.16.0.0:255.240.0.0 to any in recv tun0
> add deny log  all  from any to 172.16.0.0:255.240.0.0 in recv tun0
> add deny log  all  from 10.0.0.0:255.0.0.0 to any in recv tun0
> add deny log  all  from any to 10.0.0.0:255.0.0.0 in recv tun0

Ok, maybe I'm missing something here, but:

Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via
your tun0 device?  I assume this is a modem connection between your work and
home or something.

You should be more interested in blocking the reserved IPs coming from other
devices, surely?

You also might want to use rule numbers, to know which rules apply, and in
which order.  As far as I remember, the most recently applied rule at a
number has precedence, and if you don't specify a number, it's given 0.  Your
most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you
uncomment it).

Hope this helps.

Neil
-- 
Neil Blakey-Milner
nbm@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message