From owner-freebsd-security Mon Aug 24 13:18:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29577 for freebsd-security-outgoing; Mon, 24 Aug 1998 13:18:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (craxx.com [195.108.198.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29557 for ; Mon, 24 Aug 1998 13:18:42 -0700 (PDT) (envelope-from lva@dds.nl) Received: from uptight (classless.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1/8.9.1) with ESMTP id WAA02161; Mon, 24 Aug 1998 22:18:46 +0200 From: "laurens van alphen" To: Cc: "craxx e-consultants" Subject: RE: natd and ipfw rules not working together Date: Mon, 24 Aug 1998 22:17:26 +0200 Message-ID: <000d01bdcf9c$365a7e70$0a00a8c0@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <35E1A831.D12B41A7@tinker.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello, >You need to filter the rfc1918 address that are in the source field >before you nat them. Also, you can save yourself some time by moving >lo0 and 127.0.0.0/8 rules above the divert rule. Try the following: > >add allow ip from any to any via lo0 >add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > >add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 >add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 >add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > >add divert natd ip from any to any via tun0 > >add allow ip from any to any via de0 >add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 >add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 >add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 >add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 tun0=ed0 here. the problem here is that they probably hit natd allrigth (as before) but the natd'ed packets walk all the way from the top down. situation: inet --- [ 195.108.198.1 - natd - 192.168.0.1 ] --- clients eg. packet from 12.0.0.1 to 192.168.0.23 (e.g. SYN ACK) real packet: from 12.0.0.1 to 195.108.198.1 (recv in ed0) natd changes this to: from 12.0.0.1 to 192.168.0.23 (still recv in ed0) and this packets starts at rule 0. natd doesn't touch the interfaces (maybe it should?) now the rule: add deny log all from any to 192.168.0.0:255.255.0.0 in recv ed0 will block this packet and it's dropped. natd should either: - mark packets as 'processed' so we can skip those later on. - change the 'recv' interface any ideas? -- laurens van alphen craxx e-consultants alphen@craxx.com http://craxx.com/ -- de informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. gebruik van deze informatie door anderen dan de geadresseerde is verboden. openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. craxx staat niet in voor de juiste en volledige verbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. -- the information contained in this communication is confidential and may be legally privileged. it is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. if you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. craxx is either liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message