Date: Mon, 24 Jul 2000 13:47:12 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-security@freebsd.org Subject: Problems with natd and simple firewall Message-ID: <397C8F30.8DFCE0E9@math.missouri.edu>
next in thread | raw e-mail | index | archive | help
I recently tried to get natd to work with the default rc.firewall that comes with FreeBSD 4.1RC, and it didn't work. I found the problem, from looking at the web site http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw which has a cure, but I wonder if there are other ways to fix it. In any case, the rc.firewall is currently seriously deficient. Here is the setup: my external network has net:mask = 12.34.56.0/24 and my internal network has net:mask = 192.168.1/24 Now, suppose I have established a connection: 192.168.1.2:4444 to 34.56.78.90:22 natd changes this to 12.34.56.78:4444 to 34.56.78.90:22 Now a piece of tcp comes in: 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface natd converts this to 34.56.78.90:22 to 192.168.1.2:4444 via outside-interface which immediately gets killed by the rule in rc.firewall: # Stop RFC1918 nets on the outside interface ........... ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} The web site fixes this by changing the line to: ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} Is this the corect way to deal with this? Does this leave the computer open to spoofing? Is there some clever dynamic rule that could fix this? Or is there some option to natd that would change 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface to 34.56.78.90:22 to 192.168.1.2:4444 via inside-interface ? I think that the last option would be the best, and if natd does not allow it, maybe it should be added to the program. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397C8F30.8DFCE0E9>