From owner-freebsd-bugs Sun Apr 12 01:50:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA06927 for freebsd-bugs-outgoing; Sun, 12 Apr 1998 01:50:03 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: (from gnats@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA06921; Sun, 12 Apr 1998 01:50:02 -0700 (PDT) (envelope-from gnats) Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06824 for ; Sun, 12 Apr 1998 01:48:15 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.8.8/8.8.8) id LAA24223; Sun, 12 Apr 1998 11:48:05 +0300 (EEST) (envelope-from ru) Message-Id: <199804120848.LAA24223@relay.ucb.crimea.ua> Date: Sun, 12 Apr 1998 11:48:05 +0300 (EEST) From: Ruslan Ermilov Reply-To: ru@ucb.crimea.ua To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: conf/6278: /etc/rc.firewall: better RFC1918 nets protection Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6278 >Category: conf >Synopsis: /etc/rc.firewall: better RFC1918 nets protection >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Apr 12 01:50:01 PDT 1998 >Last-Modified: >Originator: Ruslan Ermilov >Organization: >Release: FreeBSD 2.2.6-STABLE i386 >Environment: FreeBSD 2.2.6-STABLE #0: Sat Apr 11 20:19:27 EEST 1998 >Description: There is only one half of protection of RFC1918 nets usage on outside interface. >How-To-Repeat: See the source. >Fix: Index: rc.firewall =================================================================== RCS file: /usr/FreeBSD-CVS/src/etc/rc.firewall,v retrieving revision 1.6.2.6 diff -u -r1.6.2.6 rc.firewall --- rc.firewall 1998/02/10 01:45:57 1.6.2.6 +++ rc.firewall 1998/04/12 08:28:49 @@ -140,8 +140,11 @@ # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message