Date: Thu, 8 Apr 1999 23:47:24 -0400 (EDT) From: Darren Henderson <darren@jasper.somtel.com> To: security@FreeBSD.ORG Subject: ipfw question regarding RFC1918 addresses Message-ID: <Pine.BSF.4.10.9904082336450.18705-100000@jasper.somtel.com> In-Reply-To: <bulk.13261.19990331081756@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Running ipfw and natd. I use the class A RFC1918 address for the internal
network.
The way things are set up ipfw first sends everything to divert, allows
all localhost stuff then disallows the RFC1918 stuff with
add deny all from 192.168.0.0:255.255.0.0 to any via ppp0
add deny all from any to 192.168.0.0:255.255.0.0 via ppp0
add deny all from 172.16.0.0:255.240.0.0 to any via ppp0
add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0
add deny all from 10.0.0.0:255.0.0.0 to any via ppp0
#add deny all from any to 10.0.0.0:255.0.0.0 via ppp0
(There are a handful of additional rules). Notice that last line is
commented out. If I include that natd appears to stop working. I'm
guessing that divert is converting an incomming packet to 10.0.0.x and its
then passing through my ruleset with its new address and being disallowed.
The simple solution would seem to be to move the RFC1918 stuff above the
divert rule... is that the best solution however? Have I even come close?
The goal being to block 10.0.0.0/8 comming into the machine...
______________________________________________________________________
Darren Henderson darren@jasper.somtel.com
Help fight junk e-mail, visit http://www.cauce.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9904082336450.18705-100000>