From owner-freebsd-security Mon Apr 17 8:38:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id A76AC37B5C4; Mon, 17 Apr 2000 08:38:02 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id QAA96274; Mon, 17 Apr 2000 16:37:55 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA16155; Mon, 17 Apr 2000 13:20:52 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200004171220.NAA16155@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Anders Nordby Cc: freebsd-ipfw@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: Closing incoming access to private (and other) networks with ipfw (and running natd) In-Reply-To: Message from Anders Nordby of "Sun, 16 Apr 2000 20:55:28 +0200." <20000416205528.F20667@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 Apr 2000 13:20:52 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The default (despite the libalias documentation, but in line with the natd documentation) behaviour when receiving new traffic bound for the internal network(s) *used* to be to let it through. This could be overridden with PacketAliasSetTarget() (-target_address to natd). *now* (in -stable & -current), PacketAliasSetTarget(INADDR_ANY) behaves as before and PacketAliasSetTarget(INADDR_NONE) goes to the alias address. The default is INADDR_NONE. Either way, if you ``-target_address 1.2.3.4'' where 1.2.3.4 is your alias address, you should effectively block connections from outside. > I'm not really sure where I should ask this question, since it's (at least > to me) both natd and ipfw related. I'm building a firewall with three > network cards (3Com xl ones), that routes both public and private networks > to and from the Internet. Natd works -- NICs on the segment routed > directly to the Internet sees traffic from NICs on private networks as if > it came from the IP of the NIC on the firewall on the same segment. > > Now, my problem is not routing/forwarding on the firewall, nor network > address translation. I need to prevent incoming access to private networks > through the firewall (and be sure it really works :-)). I've tried > configuring natd with deny_incoming, but I can still ping IPs on private > networks through xl0 (which is the NIC on the Firewall routed directly to > the Internet). Now, that might be due to me using an extra alias on xl0 > and routing through it. But I need to be able to block access from one > network to the other, and still be able to access the one network from the > other (and receive response to tcp/udp/icmp back with the same > protocol). I've tried accomplishing this with stuff like ipfw add n deny > all from any to 172.n.n.n in via xl0 and by using the > keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no > luck. :/ Either all traffic is denied (and I don't get replies back on > requests which goes the legal permitted way), or all traffic (including > unwanted) goes through. Does anyone have a solution for this? > > Any help appreciated -- examples, ideas, whatever. > > Cheers. > > -- > Anders. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message