From owner-freebsd-current@freebsd.org Thu Sep 29 13:24:18 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D04E6C00206; Thu, 29 Sep 2016 13:24:18 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 94E14EF7; Thu, 29 Sep 2016 13:24:18 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1bpbJw-002IkD-MC>; Thu, 29 Sep 2016 15:24:16 +0200 Received: from x55b3873c.dyn.telefonica.de ([85.179.135.60] helo=thor.walstatt.dynvpn.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:AES256-GCM-SHA384:256) (envelope-from ) id <1bpbJw-001dYP-Cb>; Thu, 29 Sep 2016 15:24:16 +0200 Date: Thu, 29 Sep 2016 15:24:11 +0200 From: "O. Hartmann" To: Daniel Kalchev Cc: FreeBSD CURRENT , freebsd-security@freebsd.org Subject: Re: IPFW on CURRENT: NAT forwarding exposes internal IP! Message-ID: <20160929152411.7a9c3f4f.ohartman@zedat.fu-berlin.de> In-Reply-To: <6C0203C4-F332-42B1-AF62-18723E63E112@digsys.bg> References: <20160929144755.2e4f7800.ohartman@zedat.fu-berlin.de> <6C0203C4-F332-42B1-AF62-18723E63E112@digsys.bg> Organization: FU Berlin X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.29; amd64-portbld-freebsd12.0) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Originating-IP: 85.179.135.60 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2016 13:24:18 -0000 LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNCkFtIFRo dSwgMjkgU2VwIDIwMTYgMTY6MDA6MTAgKzAzMDANCkRhbmllbCBLYWxjaGV2IDxkYW5pZWxAZGln c3lzLmJnPiBzY2hyaWViOg0KDQpZZXMsIHlvdXIgYXJlIHJpZ2h0IDotKQ0KDQpZZXMsIEknbSB3 cm9uZywgaXQgaXMgbm90IE5BVCA6LSgNCg0KVGhhbmtzIGEgbG90LCANCg0KT2xpdmVyDQo+IEl0 IGxvb2tzIGxpa2UgeW91ciBodHRwZCBzZXJ2ZXIgaXMgZG9pbmcgYSByZWRpcmVjdCB0byB5b3Vy IGludGVybmFsIElQIGFkZHJlc3MsIHdoaWNoDQo+IGl0IHRoaW5rcyBpcyBpdOKAmXMgU2VydmVy TmFtZS4gRG9u4oCZdCB0aGluayBOQVQgaGFzIGFueXRoaW5nIHRvIGRvIHdpdGggaXQuDQo+IA0K PiBEYW5pZWwNCj4gDQo+ID4gT24gMjkuMDkuMjAxNiDQsy4sIGF0IDE1OjQ3LCBPLiBIYXJ0bWFu biA8b2hhcnRtYW5AemVkYXQuZnUtYmVybGluLmRlPiB3cm90ZToNCj4gPiANCj4gPiAtLS0tLUJF R0lOIFBHUCBTSUdORUQgTUVTU0FHRS0tLS0tDQo+ID4gSGFzaDogU0hBMjU2DQo+ID4gDQo+ID4g DQo+ID4gRGVzcGl0ZSBvdGhlciBwcm9ibGVtcyB3aXRoIElQRlcgYW5kIGl0cyBkb2N1bWVudGF0 aW9uIHJlZ2FyZGluZyBOQVQsIEkgZmFjZSBhIHNlcmlvdXMNCj4gPiBhbmQgZGlzdHVyYmluZyBw cm9ibGVtLg0KPiA+IA0KPiA+IEkgcnVuIGEgTmFub0JTRCBiYXNlZCByb3V0ZXIvZmlyZXdhbGwg cHJvamVjdCBvZiBteSBvd24sIHJ1bm5pbmcgQ1VSUkVOVCAoRnJlZUJTRA0KPiA+IDEyLjAtQ1VS UkVOVCAjMSByMzA2MzMzOiBNb24gU2VwIDI2IDA4OjM2OjAyIENFU1QgMjAxNikuIElQRlcgaXMg dGhlIGZpbHRlciBvZiBteQ0KPiA+IGNob2ljZSwgc2luY2UgaXQgaXMgRnJlZUJTRCdzIG5hdGl2 ZS4gSSBhbHNvIHVzZSBJbi1rZXJuZWwtTkFUIGFzIHdlbGwgYXMgcHBwb2VkL3BwcC4NCj4gPiBU aGUgbW9kZW0gaXMgY29ubmVjdGVkIHRvIGEgZGVkaWNhdGVkIE5JQywgdGhlIHBwcG9lLXRyYWZm aWMgaXMgdHJhbnNwb3J0ZWQgdmlhIHR1bjANCj4gPiAtIEkgdGhpbmsgdGhpcyBpcyB0aGUgdXN1 YWwgc3R1ZmYuDQo+ID4gDQo+ID4gVGhlIElQRlcgaGFzIHRoaXMgTkFUIHJ1bGU6DQo+ID4gDQo+ ID4gJHtmd2NtZH0gICAgICAgIG5hdCAxIGNvbmZpZyBpZiAke2lmX2lzcDB9IFwNCj4gPiAgICAg ICAgICAgICAgICAgICAgICAgIGxvZyBcDQo+ID4gICAgICAgICAgICAgICAgICAgICAgICByZXNl dCBcDQo+ID4gICAgICAgICAgICAgICAgICAgICAgICBzYW1lX3BvcnRzIFwNCj4gPiAgICAgICAg ICAgICAgICAgICAgICAgIHJlZGlyZWN0X3BvcnQgdGNwICR7c2VydmVyX2dhdGV9OjIyIDIyIFwN Cj4gPiAgICAgICAgICAgICAgICAgICAgICAgIHJlZGlyZWN0X3BvcnQgdGNwICR7c2VydmVyX3d3 d306ODAgODAgXA0KPiA+ICAgICAgICAgICAgICAgICAgICAgICAgcmVkaXJlY3RfcG9ydCB0Y3Ag JHtzZXJ2ZXJfd3d3fTo0NDMgNDQzIFwNCj4gPiAgICAgICAgICAgICAgICAgICAgICAgIHJlZGly ZWN0X3BvcnQgdGNwICR7c2VydmVyX3JlZmRifTo5NzM0IDk3MzQNCj4gPiANCj4gPiBzZXJ2ZXJf d3d3IGlzIGFzc2lnbmVkIHRvIGEgbm9uLW9mZmljaWFsIElQLCAxOTIuMTY4LjEwLjEwLg0KPiA+ IA0KPiA+IGlmX2lzcD10dW4wLCB0dW4wJ3MgSVAgaXMgZ2l2ZW4gYnkgdGhlIHByb3ZpZGVyLCBJ IHVzZSBuZXQvZGRjbGllbnQgYXMgdGhlIHVwZGF0ZXINCj4gPiBmb3IgYSBkeW5hbWljIEROUyBh Y2NvdW50Lg0KPiA+IA0KPiA+IEkgdXNlIGFuIGludGVybmFsIEROUyBzZXJ2ZXIsIHdoaWNoIHJl c29sdmVzIDkyLjE2OC4xMC4xMCB0byBhIGNlcnRhaW4gbmFtZS4gSSBhbHNvDQo+ID4gdXNlIHNl bGYgc2lnbmVkIFNTTCBjZXJ0aWNhdGVzLCBqdXN0IGZvciBjb21wbGV0ZW5lc3Mgb2YgdGhpcyBp bmZvcm1hdGlvbi4NCj4gPiANCj4gPiBDb25uZWN0aW5nIGZyb20gdGhlIG91dHNpZGUgd29ybGQg dG8gbXkgZHluRE5TIGRvbWFpbiB0cmlnZ2VycyBGaXJlZm94IG9yIGFueSBvdGhlcg0KPiA+IGJy b3dzZXIgdG8gY29tcGFsaW4gYWJvdXQgdGhlIHNlbGYgc2lnbmVkIFNTTCBjZXJ0aWZpY2F0ZSAt IGFzIHVzdWFsLCBidXQgdGhlbiwgYWRkaW5nDQo+ID4gaXQsIHN1ZGRlbmx5IHRoZSBkb21haW4g bmFtZSAoc2F5OiB3d3cuYmxhYmxhLm9yZykgaXMgcmVwbGFjZWQgYnkgdGhlIGludGVybmFsIElQ IEkNCj4gPiBkZWxlZ2F0ZSBhbnkgYWNjZXNzIG9uIHBvcnRzIDgwIGFuZCA0NDMgdG8uDQo+ID4g DQo+ID4gV2hhdCBoYXBwZW5zIGhlcmU/IEkgY29uc2lkZXIgdGhpcyBhIGJ1ZywgSSBuZXZlciBz YXcgdGhpcyBvbiBvdXIgTGludXggc2VydmVycw0KPiA+IHJ1bm5pbmcgYSBzaW1pbGFyIHNldHVw IChmb3J3YXJkaW5nLCBCSU5EIDkuMTAvQklORCA5LjExKS4NCj4gPiANCj4gPiBUaGFua3MsDQo+ ID4gDQo+ID4gT2xpdmVyDQo+ID4gLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NCj4gPiBW ZXJzaW9uOiBHbnVQRyB2Mg0KPiA+IA0KPiA+IGlRRWNCQUVCQ0FBR0JRSlg3UTE3QUFvSkVPZ0Jj RDdBLzVOODh5QUgvUlpMVVJRYkM1TFRnSkQvTlVkRTUxRjMNCj4gPiB5UFZhVVFJYWVHbTkzZHU4 N0syb3BYczNETnRNcjBtMVNJMXdRWmRPQVFEbDN5cU1rejliWDlWVFV3ZXVBbHRwDQo+ID4gWmNC eGhaMlZBQ1FKQ3UvQXNZSVdXV3A2cmxpbml5WldNcitUT3lOdFREeGRQcklYWXp3ZWZYK2ZZTitV eS8wNA0KPiA+IDlQYWxmY1QvUys5cTVES2Q3c203SzZMcXNVMEhKOUdwS2dObnN5cVdFQVd2T1Jn eFV2S1MzR1M5akVqeFVuckQNCj4gPiAyMHlUWGp5aXUwbVM4VVlMUzdEYnJyZ0l0ZzNmWEVKVkc4 MTg4dHdlRkI1YWFsUVJINm95TkdheFdsR2FGOFJjDQo+ID4gSzl0NDc5djZPVzNYQ3M5RmlHNkF0 Q3pwbW5Va0NvTXR4bDdsWTNoUFUvU2gxUDVlcFl1MjZiZG9GMmVjcjFnPQ0KPiA+ID1vTUdMDQo+ ID4gLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQo+ID4gX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gPiBmcmVlYnNkLWN1cnJlbnRAZnJlZWJzZC5v cmcgbWFpbGluZyBsaXN0DQo+ID4gaHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xp c3RpbmZvL2ZyZWVic2QtY3VycmVudA0KPiA+IFRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWls IHRvICJmcmVlYnNkLWN1cnJlbnQtdW5zdWJzY3JpYmVAZnJlZWJzZC5vcmciICANCj4gDQo+IF9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IGZyZWVic2Qt Y3VycmVudEBmcmVlYnNkLm9yZyBtYWlsaW5nIGxpc3QNCj4gaHR0cHM6Ly9saXN0cy5mcmVlYnNk Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtY3VycmVudA0KPiBUbyB1bnN1YnNjcmliZSwg c2VuZCBhbnkgbWFpbCB0byAiZnJlZWJzZC1jdXJyZW50LXVuc3Vic2NyaWJlQGZyZWVic2Qub3Jn Ig0KLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYyDQoNCmlR RWNCQUVCQ0FBR0JRSlg3Ulg3QUFvSkVPZ0JjRDdBLzVOODVyQUgvamJ3UjB5ZDFiRTBhOU9JdWtm SnlmMlkNCjNzK08rR1Fha3haSm1ZRDZ2ditrKzZNMnFEOVRGc3JDSG1IeWxOZnNWNWdCaXJGWmU2 Z0VIUmliWG52bmxReHkNCkptWG5pSzJvL0hYbC9ORHhFS1RzaHFYNnh0Uyt4ZW93N0loT2JDRzQy T2FacnhVZEtnWDNxZmdZMTNWS0VWTTENCjlOZEx2MEVFMHZlSytFbnhteG5CU0RsMmg1d1Y2OXBL MVJhK2lMU1NmWWVPK1ZNTUgyZVVLNmpiaC9TNGNCNWgNCkFKNG9LMDhieTRTTk9zb3ZNd3RLTEYr VTFOSGFEdUhLV0c5MnJYVTFtWU4vTTNycXRWZ1ZwcTA0MHRPVkRGcEMNCk55bGhqNGUxWFJuTS9V M1k3VkJ6dGZUTjRFWEdSSzhEK20xZk9YR2lQbmV0MzB2aGQza1lGUmhURjV2bmYxVT0NCj1MdW1K DQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg==