From owner-freebsd-security Mon Aug 24 10:53:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06809 for freebsd-security-outgoing; Mon, 24 Aug 1998 10:53:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA06789 for ; Mon, 24 Aug 1998 10:53:46 -0700 (PDT) (envelope-from kim@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma011269; Mon Aug 24 12:51:50 1998 Received: by localhost (8.8.5/8.8.5) id MAA28744 for ; Mon, 24 Aug 1998 12:55:01 -0500 (CDT) Message-ID: <35E1A831.D12B41A7@tinker.com> Date: Mon, 24 Aug 1998 12:51:45 -0500 From: Kim Shrier Organization: Shrier and Deihl X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together References: <199808241508.RAA04739@trantor.stuyts.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul van der Zwan wrote: > That is the problem , if I deny rfc1918 addresses I also deny packets > translated by natd. There is AFIAK no way to recognized these > ,legitimate rfc1918 addressed, packets from those coming in on the same > interface containing an rfc1918 from the start. -- snip -- > This is the relevant part of my rules at the moment. > My laptop is using 192.168.200.95 and is I browse from that thing, the return > packets bounce against the commented line , which must be there to deny > rfc1918 packets coming in fromthe internet. > > add divert natd ip from any to any via tun0 > add allow ip from any to any via lo0 > add allow ip from any to any via de0 > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Regards > Paul > > -- You need to filter the rfc1918 address that are in the source field before you nat them. Also, you can save yourself some time by moving lo0 and 127.0.0.0/8 rules above the divert rule. Try the following: add allow ip from any to any via lo0 add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 add divert natd ip from any to any via tun0 add allow ip from any to any via de0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 Kim Shrier kim@tinker.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message