From owner-freebsd-security  Tue Jul 25 14:28:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 7066B37BA6B
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 14:28:27 -0700 (PDT)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA52048;
	Tue, 25 Jul 2000 14:28:09 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200007252128.OAA52048@gndrsh.dnsmgr.net>
Subject: Re: Problems with natd and simple firewall
In-Reply-To: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> from Mike Hoskins at "Jul 25, 2000 12:50:46 pm"
To: mike@adept.org (Mike Hoskins)
Date: Tue, 25 Jul 2000 14:28:09 -0700 (PDT)
Cc: stephen@math.missouri.edu (Stephen Montgomery-Smith),
	freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:
> 
> > We could add another option to natd that would disallow 
> > any outgoing packets sent to an unregistered ip address,
> > and disallow any incoming packets from or to an unregistered
> > ip address.  Call it -antispoof.
> 
> If it makes it easier for everyone (and I don't see how it wouldn't), I'll
> cast my vote for -antispoof.

And I'll cast my vote against -antispoof for the following reasons.

a)  The non-problem it attempts to solve can be handled by a correct
    ipfw rule set.

b)  These are RFC1918 addresses and have little to nothing to do with
    spoofing.  RFC1918 != spoof.  Spoofing occurs when using ligitmate
    globally routed IP addresses, usually the attack targets address as a
    source address in a packet.  The flag should be -antirfc1918.

c)  It also totally ignores the fact that the problematic IP addresses
    are much more than RFC1918 and include the following:
	0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4
    that need to be dealt with properly and carefully at both interfaces
    in a firewall.

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message