Date: Mon, 17 Apr 2000 13:20:52 +0100 From: Brian Somers <brian@Awfulhak.org> To: Anders Nordby <anders@fix.no> Cc: freebsd-ipfw@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: Closing incoming access to private (and other) networks with ipfw (and running natd) Message-ID: <200004171220.NAA16155@hak.lan.Awfulhak.org> In-Reply-To: Message from Anders Nordby <anders@fix.no> of "Sun, 16 Apr 2000 20:55:28 %2B0200." <20000416205528.F20667@totem.fix.no>
next in thread | previous in thread | raw e-mail | index | archive | help
The default (despite the libalias documentation, but in line with the natd documentation) behaviour when receiving new traffic bound for the internal network(s) *used* to be to let it through. This could be overridden with PacketAliasSetTarget() (-target_address to natd). *now* (in -stable & -current), PacketAliasSetTarget(INADDR_ANY) behaves as before and PacketAliasSetTarget(INADDR_NONE) goes to the alias address. The default is INADDR_NONE. Either way, if you ``-target_address 1.2.3.4'' where 1.2.3.4 is your alias address, you should effectively block connections from outside. > I'm not really sure where I should ask this question, since it's (at least > to me) both natd and ipfw related. I'm building a firewall with three > network cards (3Com xl ones), that routes both public and private networks > to and from the Internet. Natd works -- NICs on the segment routed > directly to the Internet sees traffic from NICs on private networks as if > it came from the IP of the NIC on the firewall on the same segment. > > Now, my problem is not routing/forwarding on the firewall, nor network > address translation. I need to prevent incoming access to private networks > through the firewall (and be sure it really works :-)). I've tried > configuring natd with deny_incoming, but I can still ping IPs on private > networks through xl0 (which is the NIC on the Firewall routed directly to > the Internet). Now, that might be due to me using an extra alias on xl0 > and routing through it. But I need to be able to block access from one > network to the other, and still be able to access the one network from the > other (and receive response to tcp/udp/icmp back with the same > protocol). I've tried accomplishing this with stuff like ipfw add n deny > all from any to 172.n.n.n in via xl0 and by using the > keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no > luck. :/ Either all traffic is denied (and I don't get replies back on > requests which goes the legal permitted way), or all traffic (including > unwanted) goes through. Does anyone have a solution for this? > > Any help appreciated -- examples, ideas, whatever. > > Cheers. > > -- > Anders. -- Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org> <http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org> Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004171220.NAA16155>