From owner-freebsd-security Wed May 16 18: 4:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 2A56D37B423 for ; Wed, 16 May 2001 18:04:49 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GDGGBE00.0FK; Wed, 16 May 2001 18:04:26 -0700 Message-ID: <3B0323AF.E1FD1EC1@globalstar.com> Date: Wed, 16 May 2001 18:04:47 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Dave Seddon Cc: freebsd-security@FreeBSD.ORG Subject: Re: risks of ip-forwarding, without ipf/ipfw References: <3e9a343ed668.3ed6683e9a34@mbox.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dave Seddon wrote: > > I run a FreeBSD router/firewall for my home network, sharing cable. > > If I wasn't actually packet filtering, how would somebody attack my > internal machines (assuming the gateway box was secure and people > couldn't telnet, etc, into it)? Doesn't natd provide a lot of > protection anyway? The original poster said nothing about doing NAT. Under natd(8) or ipnat(8) on FreeBSD, you'd need to be running ipfw(8) or ipf(8) anyway. > Natd dynamically keeps track of outgoing > connections, then maps these back on the way back in. So if somebody > tries to start a connection inbound, it will hit the router, natd will > look through it's table, say to itself "no match" and drop the packet > (s). natd(8) does not filter packets. If it has an entry in its NAT table for a packet, it rewrites the headers appropriately before reinjecting it into the IP stack. If it does not, it reinjects it into the stack without touching it. > I assume that natd actually tracks the close of a tcp connection > and removes entries? or is this done by some sort of timeout? Can't recall the mechanism off of the top of my head. > Is the way to attack: > Sit on the Cable Ethernet network, address frames to target site's > ethernet address, address packets to the (guessed) internal addresses > of the target site, and set the return packet address to your box? > (assuming no firewall) Anyone who can get packets with destination addresses bound for your internal LAN to the outer interface of your NAT machine has full access to your LAN. If someone on your coax cable LAN guessed your "private" network used the block, 192.168.128.0/24, all he would need to do is, # route add 192.168.128.0/24 To get total access to your LAN. If you are using RFC1918 addresses, you are afforded the slight protection that people "far away" on the Internet cannot route packets to your network, but anyone close by can do so with trivial effort. Adding a simple, # ipfw add drop ip from any to 192.168.128.0/24 in via Before the divert(4) rule is a _very_ good idea. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message