From owner-freebsd-security Fri Apr 9 4:26:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id 19DD21514D for ; Fri, 9 Apr 1999 04:26:01 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.1/8.9.1) with ESMTP id PAA16738; Fri, 9 Apr 1999 15:22:08 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Fri, 09 Apr 1999 15:21:16 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: Darren Henderson Subject: RE: ipfw question regarding RFC1918 addresses Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where is the place for divert rules? Check carefully, what do you want to do? And one more - the better rules will be: add deny all from 192.168.0.0/16 to any in recv ppp0 ... other deny rules ... add divert _port_ ip from any to any via _external_if_0_ add allow ip from any to any And start natd with "-u" flag. Sergey. On 09-Apr-99 Darren Henderson wrote: > > Running ipfw and natd. I use the class A RFC1918 address for the internal > network. > > The way things are set up ipfw first sends everything to divert, allows > all localhost stuff then disallows the RFC1918 stuff with > > add deny all from 192.168.0.0:255.255.0.0 to any via ppp0 > add deny all from any to 192.168.0.0:255.255.0.0 via ppp0 > add deny all from 172.16.0.0:255.240.0.0 to any via ppp0 > add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0 > add deny all from 10.0.0.0:255.0.0.0 to any via ppp0 >#add deny all from any to 10.0.0.0:255.0.0.0 via ppp0 > > (There are a handful of additional rules). Notice that last line is > commented out. If I include that natd appears to stop working. I'm > guessing that divert is converting an incomming packet to 10.0.0.x and its > then passing through my ruleset with its new address and being disallowed. > The simple solution would seem to be to move the RFC1918 stuff above the > divert rule... is that the best solution however? Have I even come close? > > The goal being to block 10.0.0.0/8 comming into the machine... > > > ______________________________________________________________________ > Darren Henderson darren@jasper.somtel.com > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 09-Apr-99 Time: 15:14:50 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message