From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 03:40:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CD9837B401 for ; Fri, 20 Jun 2003 03:40:58 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 319A743F93 for ; Fri, 20 Jun 2003 03:40:57 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5KAetBH013938 for ; Fri, 20 Jun 2003 11:40:55 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h5KAetD0062007 for ; Fri, 20 Jun 2003 11:40:55 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Fri, 20 Jun 2003 11:40:55 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 10:40:58 -0000 On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you wrote: >: ipfw -f flush >: ipfw add 100 divert natd ip from any to any via rl0 in >: ipfw add 200 check-state >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >: ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state >: ipfw add 500 divert natd ip from any to any out via rl0 >: ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0 >: ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0 >: ipfw add 65000 allow ip from any to any Tricky indeed. I've been playing with the rules suggested by Greg Panula, but I don't really like them for a couple of reasons: - I prefer to keep the internal interface open. I often telnet into the router and keep the session open and inactive for hours, and the dynamic rules time out and kill it. - a rule is created which is never used, ie the outgoing packet starting a conversation creates two rules, only one of which is used in the check-state to match incoming. So I will try out your set. But one question first: do you ever get hits on the second rule 300? I would have thought it very difficult for anyone to route a packet to you with a non-routable destination address. Surely only your ISP could do that? Jim