From owner-freebsd-net@FreeBSD.ORG  Thu Feb  5 11:57:58 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8B0C216A4CE
	for <freebsd-net@freebsd.org>; Thu,  5 Feb 2004 11:57:58 -0800 (PST)
Received: from gabby.gsicomp.on.ca
	(CPE00062566c7bb-CM000039c69a66.cpe.net.cable.rogers.com [67.60.231.164])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A979943D5F
	for <freebsd-net@freebsd.org>; Thu,  5 Feb 2004 11:57:52 -0800 (PST)
	(envelope-from matt@gsicomp.on.ca)
Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18])
	by gabby.gsicomp.on.ca (8.12.9p2/8.12.9) with ESMTP id i15K5Ojd074661;
	Thu, 5 Feb 2004 15:05:24 -0500 (EST)
	(envelope-from matt@gsicomp.on.ca)
Message-ID: <002601c3ec21$df9dea10$1200a8c0@gsicomp.on.ca>
From: "Matt Emmerton" <matt@gsicomp.on.ca>
To: "John" <john@starfire.mn.org>, <freebsd-net@freebsd.org>
References: <20040205134555.A28070@starfire.mn.org>
Date: Thu, 5 Feb 2004 14:54:32 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Re: IPFW and NAT - blocking RFC 1918 ("unregistered") network
	thatmatches my own
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2004 19:57:58 -0000


----- Original Message ----- 
From: "John" <john@starfire.mn.org>
To: <freebsd-net@freebsd.org>
Sent: Thursday, February 05, 2004 2:45 PM
Subject: IPFW and NAT - blocking RFC 1918 ("unregistered") network
thatmatches my own


> I am up and running with ipfw 2 and natd, but not all is quite well.
>
> I can't figure out how to block "spoofed" packets from the outside
> that use the same RFC 1918 network as the one I'm translating to.
> When I try to put that rule on the exterior interface, it ends up
> blocking the packets after they are translated.
>
> Specifically, the network I am using falls in the 192.168.0.0/16 range.
> (I won't publish exactly which one: you only have 254 to try...)
> If, however, I put in
>     ${fwcmd} add deny ip from any to 192.168.0.0/16 via ${oif}
> then I cut off my interior network entirely, due, presumably, to
> the pass through the rules after translation.
>
> I suspect that I need some combination of "in" or "recv," but I
> would like to actually UNDERSTAND what I'm doing instead of just
> trying combinations 'til it works.  On the other hand, there are
> sysctl kernel parameters that might affect this behavior, or maybe
> other natd parameters - so maybe that's not even the ticket.

Your best resource is /etc/rc.firewall.  Look at the "simple" configuration.
It has rules for RFC1918 nets both before and after the divert rule, and
explains why.

--
Matt Emmerton