From owner-freebsd-security Sun Oct 3 12:51:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id BBA9814A21 for ; Sun, 3 Oct 1999 12:51:23 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id MAA75431; Sun, 3 Oct 1999 12:51:34 -0700 (PDT) Date: Sun, 3 Oct 1999 12:51:34 -0700 (PDT) From: "f.johan.beisser" To: Dmitriy Bokiy Cc: FreeBSD Security ML Subject: Re: natd -deny_incoming In-Reply-To: <18882.991003@cityline.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 3 Oct 1999, Dmitriy Bokiy wrote: > Just to be completely sure. Is it correct that if I don`t run natd > with "-deny_incoming" option turned on it`s going to accept external > connections to RFC addresses which at the moment have an entry in NATd`s > internal translation table? no, it shouldn't. because of how TCP/IP works, even if the request is on a port that is open (natd will drop it anyway) the daemon holding the port open will renegotiate it anyway. natd can do port forwarding though, and map certain ports over to other machines in the internal network. natd also dosen't care about the RFC networks. it plays dumb, and just listens to its designated interface. > If that`s so is there some ground under it or is it just a "feature"? > In other words: why do we need this option at all if "deny incoming to > RFCs" could be default behavior? well, the problem with dening the unroutable networks (RFC 1918, 192.168.0.0, 10.0.0.0, 172.16.0.0) from natd is that some folks (in my lab, included) will want to have an unrouteable network inside of an unroutable. > Or do I miss anything? no, i don't think so. if you're really worried about spoofing coming through, i'd suggest using IPFW or IPFILTER to stop the spoofing. it's just two lines in the IPFW to stop it. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message