From owner-freebsd-security Mon Oct 4 6:20:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id EDCDE14EFD for ; Mon, 4 Oct 1999 06:18:47 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id LAA33643; Mon, 4 Oct 1999 11:53:08 +0300 (EEST) (envelope-from ru) Date: Mon, 4 Oct 1999 11:53:08 +0300 From: Ruslan Ermilov To: Dmitriy Bokiy Cc: FreeBSD Security ML Subject: Re: natd -deny_incoming Message-ID: <19991004115308.B1662@relay.ucb.crimea.ua> Mail-Followup-To: Dmitriy Bokiy , FreeBSD Security ML References: <18882.991003@cityline.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <18882.991003@cityline.ru>; from Dmitriy Bokiy on Sun, Oct 03, 1999 at 09:11:00PM +0300 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 03, 1999 at 09:11:00PM +0300, Dmitriy Bokiy wrote: > Just to be completely sure. Is it correct that if I don`t run natd > with "-deny_incoming" option turned on it`s going to accept external > connections to RFC addresses which at the moment have an entry in NATd`s > internal translation table? > First, the option `-deny_incoming' has nothing to do with RFC1918 addresses, it makes no distinction for them. This option could be used to implement so called one-way firewall, i.e. it will reject connections initiated externally (read: no entry in the internal table), but allow connections originated locally. As for natd rules for accepting external connections. Natd is a simple program, it will either rewrite the packet, leave it untouched, or drop it (if `-deny_incoming' was given). Without `-deny_incoming', if natd(8) sees an incoming TCP packet (not certainly with RFC1918 destination address), for which no entry could be found in the internal table (searching by {alias_addr,alias_port,remote_addr,remote_port}), such a packet is left untouched by natd. If you turn `-deny_incoming' on, it is dropped. > If that`s so is there some ground under it or is it just a "feature"? > In other words: why do we need this option at all if "deny incoming to > RFCs" could be default behavior? > We need this option for two reasons. First, as I said above, it could be used to implement a simple one-way firewall. Second, I don't want "deny incoming to RFC1918" be default behavior. If you need such a level of functionality, use ipfw(8). > Or do I miss anything? > Yes, you do. You miss ipfw(8) :-) -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message