Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Apr 2000 13:20:52 +0100
From:      Brian Somers <brian@Awfulhak.org>
To:        Anders Nordby <anders@fix.no>
Cc:        freebsd-ipfw@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org
Subject:   Re: Closing incoming access to private (and other) networks with ipfw (and running natd) 
Message-ID:  <200004171220.NAA16155@hak.lan.Awfulhak.org>
In-Reply-To: Message from Anders Nordby <anders@fix.no>  of "Sun, 16 Apr 2000 20:55:28 %2B0200." <20000416205528.F20667@totem.fix.no> 

next in thread | previous in thread | raw e-mail | index | archive | help
The default (despite the libalias documentation, but in line with the 
natd documentation) behaviour when receiving new traffic bound for 
the internal network(s) *used* to be to let it through.  This could 
be overridden with PacketAliasSetTarget() (-target_address to natd).

*now* (in -stable & -current), PacketAliasSetTarget(INADDR_ANY) 
behaves as before and PacketAliasSetTarget(INADDR_NONE) goes to the 
alias address.  The default is INADDR_NONE.

Either way, if you ``-target_address 1.2.3.4'' where 1.2.3.4 is your 
alias address, you should effectively block connections from outside.

> I'm not really sure where I should ask this question, since it's (at least
> to me) both natd and ipfw related. I'm building a firewall with three
> network cards (3Com xl ones), that routes both public and private networks
> to and from the Internet. Natd works -- NICs on the segment routed
> directly to the Internet sees traffic from NICs on private networks as if
> it came from the IP of the NIC on the firewall on the same segment.
> 
> Now, my problem is not routing/forwarding on the firewall, nor network
> address translation. I need to prevent incoming access to private networks
> through the firewall (and be sure it really works :-)). I've tried
> configuring natd with deny_incoming, but I can still ping IPs on private
> networks through xl0 (which is the NIC on the Firewall routed directly to
> the Internet). Now, that might be due to me using an extra alias on xl0
> and routing through it. But I need to be able to block access from one
> network to the other, and still be able to access the one network from the
> other (and receive response to tcp/udp/icmp back with the same 
> protocol). I've tried accomplishing this with stuff like ipfw add n deny 
> all from any to 172.n.n.n in via xl0 and by using the 
> keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no 
> luck. :/ Either all traffic is denied (and I don't get replies back on
> requests which goes the legal permitted way), or all traffic (including
> unwanted) goes through. Does anyone have a solution for this?
> 
> Any help appreciated -- examples, ideas, whatever.
> 
> Cheers.
> 
> -- 
> Anders.

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>;                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004171220.NAA16155>