From owner-freebsd-security Mon Aug 24 05:08:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16237 for freebsd-security-outgoing; Mon, 24 Aug 1998 05:08:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16228 for ; Mon, 24 Aug 1998 05:08:50 -0700 (PDT) (envelope-from paulz@trantor.stuyts.nl) Received: from stuyts by alushta.NL.net with UUCP id <10320-31475>; Mon, 24 Aug 1998 14:07:46 +0200 Received: from trantor.stuyts.nl (uucp@localhost) by terminus.stuyts.nl (8.9.1/8.8.8) with UUCP id NAA17074; Mon, 24 Aug 1998 13:57:12 +0200 (MET DST) (envelope-from paulz@trantor.stuyts.nl) Received: from trantor.stuyts.nl (localhost [127.0.0.1]) by trantor.stuyts.nl (8.9.1/8.8.5) with ESMTP id NAA16992; Mon, 24 Aug 1998 13:54:04 +0200 (MET DST) Message-Id: <199808241154.NAA16992@trantor.stuyts.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: "laurens van alphen" Subject: Re: natd and ipfw rules not working together In-reply-to: Your message of "Thu, 20 Aug 1998 13:56:31 +0200." cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Aug 1998 13:54:03 +0200 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > hi all, > > this is my setup > external net: 130.89/16 (ed0) > internal net: 192.168.0/24 (ed1) > running natd and ipfw on the router > > rc.firewall contains: > $fwcmd add divert natd all from any to any via ${natd_interface} > where natd _interface is ed0 > > next the default rc.firewall contained these rules: > > $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} > > when i apply those, natd clients (on the internal network) can no longer > talk to the outside world. they can however talk to ${oip} and ${iip}. > > any clues? it seems to me natd should translate the packets coming from the > internal network before the 192.168/16 rule sees 'em. right? > I haven't seen any useful followup. But apparently the translated packets are sent thru all filter rules after translation. Does anybody know a way to use rfc1918 addresses internally and still deny them when coming from outside. I am using the same kind of setup here and i have to allow all addresses I use on the inside as destination adresses. It would be nice if the rules could recognize packets that had been 'fixed' by natd. Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message