From owner-freebsd-security Mon Aug 17 16:02:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13618 for freebsd-security-outgoing; Mon, 17 Aug 1998 16:02:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA13611 for ; Mon, 17 Aug 1998 16:02:23 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 6849 invoked by uid 1001); 17 Aug 1998 23:01:49 +0000 (GMT) To: girgen@partitur.se Cc: freebsd-security@FreeBSD.ORG Subject: Re: private network on router's external NIC? In-Reply-To: Your message of "Tue, 18 Aug 1998 00:00:08 +0200" References: <35D8A7E8.2DC50695@partitur.se> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 18 Aug 1998 01:01:49 +0200 Message-ID: <6847.903394909@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I have these commands in my ipfw setup, taken from the systems > rc.firewall: > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > Makes sense to me. So, how do these ip numbers get out on the Internet? > How do they get routed anywhere; they're supposed to be private? Routing is normally done on *destination* address, so a *source* address within the RFC 1918 address ranges is irrelevant to routing. There are several reasons why such packets show up, e.g.: - ISPs with the (bad) idea that they can use RFC 1918 for their internal network links, because (supposedly) the addresses won't get out. Guess what happens when you do a traceroute along one of these paths? - Firewalls which leak internal addresses. I haven't seen these myself, but have heard of this happening. - Crackers using RFC 1918 addresses for breakins etc. because you won't be able to trace the source address. There are good reasons why some of us filter the RFC 1918 addresses on our border routers. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message