Date: Mon, 4 Oct 1999 11:53:08 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Dmitriy Bokiy <ratebor@cityline.ru> Cc: FreeBSD Security ML <freebsd-security@FreeBSD.org> Subject: Re: natd -deny_incoming Message-ID: <19991004115308.B1662@relay.ucb.crimea.ua> In-Reply-To: <18882.991003@cityline.ru>; from Dmitriy Bokiy on Sun, Oct 03, 1999 at 09:11:00PM %2B0300 References: <18882.991003@cityline.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 03, 1999 at 09:11:00PM +0300, Dmitriy Bokiy wrote:
> Just to be completely sure. Is it correct that if I don`t run natd
> with "-deny_incoming" option turned on it`s going to accept external
> connections to RFC addresses which at the moment have an entry in NATd`s
> internal translation table?
>
First, the option `-deny_incoming' has nothing to do with RFC1918
addresses, it makes no distinction for them. This option could be
used to implement so called one-way firewall, i.e. it will reject
connections initiated externally (read: no entry in the internal
table), but allow connections originated locally.
As for natd rules for accepting external connections. Natd is a
simple program, it will either rewrite the packet, leave it untouched,
or drop it (if `-deny_incoming' was given). Without `-deny_incoming',
if natd(8) sees an incoming TCP packet (not certainly with RFC1918
destination address), for which no entry could be found in the internal
table (searching by {alias_addr,alias_port,remote_addr,remote_port}),
such a packet is left untouched by natd. If you turn `-deny_incoming'
on, it is dropped.
> If that`s so is there some ground under it or is it just a "feature"?
> In other words: why do we need this option at all if "deny incoming to
> RFCs" could be default behavior?
>
We need this option for two reasons. First, as I said above, it could
be used to implement a simple one-way firewall. Second, I don't want
"deny incoming to RFC1918" be default behavior. If you need such a
level of functionality, use ipfw(8).
> Or do I miss anything?
>
Yes, you do. You miss ipfw(8) :-)
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank,
ru@FreeBSD.org FreeBSD committer,
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991004115308.B1662>