From owner-freebsd-security  Thu Apr  8 20:49:50 1999
Delivered-To: freebsd-security@freebsd.org
Received: from jasper.somtel.com (jasper.somtel.com [206.139.114.254])
	by hub.freebsd.org (Postfix) with ESMTP id 12D201579C
	for <security@FreeBSD.ORG>; Thu,  8 Apr 1999 20:49:36 -0700 (PDT)
	(envelope-from darren@jasper.somtel.com)
Received: from localhost (darren@localhost)
	by jasper.somtel.com (8.9.3/8.9.3) with ESMTP id XAA18719
	for <security@FreeBSD.ORG>; Thu, 8 Apr 1999 23:47:25 -0400 (EDT)
Date: Thu, 8 Apr 1999 23:47:24 -0400 (EDT)
From: Darren Henderson <darren@jasper.somtel.com>
To: security@FreeBSD.ORG
Subject: ipfw question regarding RFC1918 addresses
In-Reply-To: <bulk.13261.19990331081756@hub.freebsd.org>
Message-ID: <Pine.BSF.4.10.9904082336450.18705-100000@jasper.somtel.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Running ipfw and natd. I use the class A RFC1918 address for the internal
network.

The way things are set up ipfw first sends everything to divert, allows
all localhost stuff then disallows the RFC1918 stuff with

add deny all from 192.168.0.0:255.255.0.0 to any via ppp0
add deny all from any to 192.168.0.0:255.255.0.0 via ppp0
add deny all from 172.16.0.0:255.240.0.0 to any via ppp0
add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0
add deny all from 10.0.0.0:255.0.0.0 to any via ppp0
#add deny all from any to 10.0.0.0:255.0.0.0 via ppp0

(There are a handful of additional rules). Notice that last line is
commented out. If I include that natd appears to stop working. I'm
guessing that divert is converting an incomming packet to 10.0.0.x and its
then passing through my ruleset with its new address and being disallowed.
The simple solution would seem to be to move the RFC1918 stuff above the
divert rule... is that the best solution however? Have I even come close?

The goal being to block 10.0.0.0/8 comming into the machine...


______________________________________________________________________
Darren Henderson                              darren@jasper.somtel.com

                   Help fight junk e-mail, visit http://www.cauce.org/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message