From owner-freebsd-security Mon Jul 24 15:55:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B05C637BBBF for ; Mon, 24 Jul 2000 15:55:05 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA49471; Mon, 24 Jul 2000 15:54:51 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200007242254.PAA49471@gndrsh.dnsmgr.net> Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000724.23345600@bartequi.ottodomain.org> from Salvo Bartolotta at "Jul 24, 2000 11:34:56 pm" To: bartequi@inwind.it (Salvo Bartolotta) Date: Mon, 24 Jul 2000 15:54:50 -0700 (PDT) Cc: dmartin@origen.com (Richard Martin), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you wish to make yourself even sicker run a ndc dump and grovel through the file for RFC1918 addresses. It is sites not knowing how to do split DNS that are leaking RFC1918 addresses into DNS that is causing some of these that we see cross our boarder routers (And yes, we have an AS policy that filters all RFC1918 src and dst addresses at all boarders, up and down stream.) Here is a days worth of counts from one router: 00400 441 67618 deny log logamount 100 ip from 10.0.0.0/8 to any 00400 8 7746 deny log logamount 100 ip from 172.16.0.0/12 to any 00400 13 898 deny log logamount 100 ip from 192.168.0.0/16 to any 00500 5 294 deny log logamount 100 ip from any to 10.0.0.0/8 00500 4 242 deny log logamount 100 ip from any to 172.16.0.0/12 00500 53 2417 deny log logamount 100 ip from any to 192.168.0.0/16 > > On 7/25/00, 12:18:04 AM, Richard Martin wrote > regarding Re: Problems with natd and simple firewall: > > > > On the other hand, I do see packets hitting the other inbound RFC 1918 > filters > > from time to time. Someone should have a talk with those routers... > A low > > level concern, but still a concern > > > I have regularly (maybe I should say "systematically") been > logging RFC-1918-spoofed packets coming through my ISP in the past few > months. > > I have also been using a closed (stateful) packet filter. > > > > Needless to say, I phoned my ISP "technicians", I also sent mail, but > I still regularly see those packets almost every day. What's more, > this is, er, a big national (!) ISP in my country. > > The (IPv4) 'Net may be insecure by ... definition, but this kind of > thoughtlessness seems to me even worse. > > Best regards, > Salvo > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message