From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 06:13:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 055A037B401 for ; Fri, 20 Jun 2003 06:13:27 -0700 (PDT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42C6343F3F for ; Fri, 20 Jun 2003 06:13:26 -0700 (PDT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.9/8.12.9) with ESMTP id h5KDDMab066098; Fri, 20 Jun 2003 06:13:22 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.9/8.12.9/Submit) id h5KDDMGI066097; Fri, 20 Jun 2003 06:13:22 -0700 (PDT) Date: Fri, 20 Jun 2003 06:13:22 -0700 (PDT) From: David Wolfskill Message-Id: <200306201313.h5KDDMGI066097@bunrab.catwhisker.org> To: Jan.Grant@bristol.ac.uk, subscriber@insignia.com In-Reply-To: cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 13:13:27 -0000 >Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST) >From: Jan Grant >To: Jim Hatfield >Cc: freebsd-security@freebsd.org >Subject: Re: IPFW: combining "divert natd" with "keep-state" >> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >> But one question first: do you >> ever get hits on the second rule 300? I would have thought >> it very difficult for anyone to route a packet to you with >> a non-routable destination address. Surely only your ISP >> could do that? >Do you trust your ISP? If the choice is between a rule that has no >benefit providing everyone configured their stuff correctly, and leaving >out the safety-net because you expect to not need it, that's a pretty >simple choice. Indeed. I'm not using that particular set of rules, but I do block RFC 1918 netblocks on the external interface. And I do see attempts at traffic: Jun 19 02:14:28 janus /kernel: ipfw: 6000 Deny UDP 10.28.227.64:32769 63.193.123.122:53 in via dc0 Jun 19 02:14:57 janus last message repeated 18 times I expect this is a result of a misconfiguration (or lack of configuration) on someone's part. Regardless, I won't have anything to do with it. (I also block packets with certain oddball options set, though I have yet to see any.) Peace, david -- David H. Wolfskill david@catwhisker.org Based on what I have seen to date, the use of Microsoft products is not consistent with reliability. I recommend FreeBSD for reliable systems.