From owner-freebsd-questions  Sat Apr 15 20:32:36 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id D8DFB37B56B
	for <freebsd-questions@FreeBSD.ORG>; Sat, 15 Apr 2000 20:32:33 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA46693;
	Sat, 15 Apr 2000 23:32:29 -0400 (EDT)
	(envelope-from cjc)
Date: Sat, 15 Apr 2000 23:32:29 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Zachary Drew <drew0054@tc.umn.edu>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: natd being used as a gateway...security risk?
Message-ID: <20000415233229.D46067@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <Pine.SOL.4.20.0004152031540.430-100000@garnet.tc.umn.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.SOL.4.20.0004152031540.430-100000@garnet.tc.umn.edu>; from drew0054@tc.umn.edu on Sat, Apr 15, 2000 at 08:40:33PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, Apr 15, 2000 at 08:40:33PM -0500, Zachary Drew wrote:
> 
> i'm using a natd box (freebsd) to share one ip address among several
> machines. the natd box has is multihomed with 2 NICs (one private one
> public). The public network is considered hostile (its on a university
> network).
> 
> i wondered if i could use my machine as a gateway from another machine
> on the universities network (making that other machine appear to be my
> machine) and it turns out i can. The other host i tried this from is on
> the same subnet as I. I could login to machine and check where i logged in
> from... it would appear that i loged in from the natd host.
> 
> so is running natd like this a security risk? people can simply change
> their ip address and make an attack apear to be coming from my ip address?
> 
> could people outside my subnet use my machine as a gateway? How should i
> go about fixing this? Should the natd man pages warn of this?

Try the "unregistered_only" switch. You can also add a firewall rule
that is even more specific, but how to craft it would depend on how
you have and want things working.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message