From owner-freebsd-security  Mon Aug 17 15:00:51 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA01330
          for freebsd-security-outgoing; Mon, 17 Aug 1998 15:00:51 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from bastuba.partitur.se (bastuba.partitur.se [193.219.246.194])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01302
          for <freebsd-security@freebsd.org>; Mon, 17 Aug 1998 15:00:46 -0700 (PDT)
          (envelope-from girgen@partitur.se)
Received: from partitur.se (solist.partitur.se [193.219.246.204])
	by bastuba.partitur.se (8.8.8/8.8.8) with ESMTP id AAA05807;
	Tue, 18 Aug 1998 00:00:10 +0200 (CEST)
	(envelope-from girgen@partitur.se)
Message-ID: <35D8A7E8.2DC50695@partitur.se>
Date: Tue, 18 Aug 1998 00:00:08 +0200
From: Palle Girgensohn <girgen@partitur.se>
Organization: Partitur
X-Mailer: Mozilla 4.5b1 [en] (X11; I; SunOS 5.6 sun4u)
X-Accept-Language: sv,en
MIME-Version: 1.0
To: freebsd-security@FreeBSD.ORG
Subject: private network on router's external NIC?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi!

I have a question. For some time, I've been filtering packages using
ipfw. The setup is a FreeBSD machine with two NICes that routes between
an external network, with this machine and a Cisco on, and our internal
LAN (which also has TRUE internet addresses). No private network number
stuff, no natd. Just plain routing.

Every once in a while, packages from 192.168.x.y on the external
interface are logged and deferred. They are mostly trying to reach the
http port of one of our web servers (inside), but also sometimes port
137-139 (netbios-*) and a few others.  Are they really attempted
break-ins? All of them? They show up almost everyday, though in small
numbers (10-20, perhaps, usually from different ip numbers different
days).

I have these commands in my ipfw setup, taken from the systems
rc.firewall:

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

Makes sense to me. So, how do these ip numbers get out on the Internet?
How do they get routed anywhere; they're supposed to be private?

/Palle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message