From owner-freebsd-security Mon Aug 24 10:46:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA05243 for freebsd-security-outgoing; Mon, 24 Aug 1998 10:46:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05217 for ; Mon, 24 Aug 1998 10:46:15 -0700 (PDT) (envelope-from paulz@trantor.stuyts.nl) Received: from stuyts by alushta.NL.net with UUCP id <10626-10129>; Mon, 24 Aug 1998 19:45:02 +0200 Received: from trantor.stuyts.nl (uucp@localhost) by terminus.stuyts.nl (8.9.1/8.8.8) with UUCP id TAA26654; Mon, 24 Aug 1998 19:35:28 +0200 (MET DST) (envelope-from paulz@trantor.stuyts.nl) Received: from trantor.stuyts.nl (localhost [127.0.0.1]) by trantor.stuyts.nl (8.9.1/8.8.5) with ESMTP id TAA19285; Mon, 24 Aug 1998 19:26:15 +0200 (MET DST) Message-Id: <199808241726.TAA19285@trantor.stuyts.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: Neil Blakey-Milner Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-reply-to: Your message of "Mon, 24 Aug 1998 18:01:48 +0200." <19980824180148.A11376@rucus.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Aug 1998 19:26:14 +0200 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon 1998-08-24 (17:08), Paul van der Zwan wrote: > > add divert natd ip from any to any via tun0 > > add allow ip from any to any via lo0 > > add allow ip from any to any via de0 > > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Ok, maybe I'm missing something here, but: > > Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via > your tun0 device? I assume this is a modem connection between your work and > home or something. > Tun0 is the modem connection to my ISP. My FreeBSD box is connected to a lan on the de0 interface containing some other computers, using 192.168.200.x as addresses. I don't want any rfc1918 addresses coming in or going out on the link to my ISP. That is the reason for the rules above ( which are a subset of all rules , they are followed by about 30 more) > You should be more interested in blocking the reserved IPs coming from other > devices, surely? That is what I am trying to do. But by enabling the commented rule above I also block packets translated by natd, which I don't want to block but want to allow. Only there is no way discriminate between packets having a rfc1918 destination from the start and those which get it from natd. > > You also might want to use rule numbers, to know which rules apply, and in > which order. As far as I remember, the most recently applied rule at a > number has precedence, and if you don't specify a number, it's given 0. Your > most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you > uncomment it). I had rules numbered but I found it easier to put them all in a file and use ipfw flush followed by ipfw filename to load them all at once, It is too much trouble renumbering lines in the file if I inserted more lines than I left space for. If I see a deny in the log I ususally use ipfw show if ith is not immediately clear which rule is triggered. > > Hope this helps. Not with my real problem , I'm afraid ;-) Thanks Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message