Date: Tue, 11 Jul 2000 20:33:27 -0400 (EDT) From: Colin <cwass99@home.com> To: Doug White <dwhite@resnet.uoregon.edu> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: natd inconsistencies Message-ID: <XFMail.000711203327.cwass99@home.com> In-Reply-To: <Pine.BSF.4.21.0007101647360.23759-100000@resnet.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm still not sure I understand why this works the way it does, but I'm digging through the code for ipfw and natd, so we'll see where that leads. In the meantime, I can't believe I'm the only person who has hit this. To that end, I'm proposing a minor change to rc.firewall (diff at the end of the message). Specifically, I moved the conditional addition of the divert rule to after the spoofing and RFC1918 rules. I don't see how this could reduce security, and it resolves the issue I saw. Any comments on the advisability of this (good or bad) or can I get someone to move this in for 4.1? Thanks. *** rc.firewall.old Tue Jul 11 20:07:12 2000 --- rc.firewall.new Tue Jul 11 20:54:23 2000 *************** *** 65,83 **** # ${fwcmd} -f flush - ############ - # These rules are required for using natd. All packets are passed to - # natd before they encounter your remaining rules. The firewall rules - # will then be run again on each packet after translation by natd, - # minus any divert rules (see natd(8)). - # - case ${natd_enable} in - [Yy][Ee][Ss]) - if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} - fi - ;; - esac ############ # If you just configured ipfw in the kernel as a tool to solve network --- 65,70 ---- *************** *** 165,171 **** imask="255.255.255.240" iip="192.0.2.17" ! # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} --- 152,158 ---- imask="255.255.255.240" iip="192.0.2.17" ! # Stop spoofing. These rules should preceed the divert rule for natd if used. ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} *************** *** 176,181 **** --- 163,183 ---- ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + + + ############ + # These rules are required for using natd. All packets are passed to + # natd before they encounter your remaining rules. The firewall rules + # will then be run again on each packet after translation by natd, + # minus any divert rules (see natd(8)). + # + case ${natd_enable} in + [Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} add divert natd all from any to any via ${natd_interface} + fi + ;; + esac # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} On 10-Jul-00 Doug White wrote: > On Mon, 10 Jul 2000, Colin wrote: > >> I found this rule was the problem using ipfw show (a very useful >> command >> when you're building a ruleset to see what is blocking you) which is why I >> moved it. My concern is that it shouldn't block packets from an external >> source (eg www.FreeBSD.org ;) to 192.168.0.0/24. It should only block >> packets >> from that network incoming on the external interface. I understood natd >> would >> alter the dest addr on the inbound packet if it was in the table but not >> touch >> the source addr. Is this not the case? Or am I missing something obvious >> in >> the operation? > > Don't forget about the return packets :) > > Doug White | FreeBSD: The Power to Serve > dwhite@resnet.uoregon.edu | www.FreeBSD.org Cheers, Colin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000711203327.cwass99>