Date: Tue, 8 Jun 1999 15:55:55 -0400 From: "Tenacious" <tMind@bigfoot.com> To: <freebsd-questions@freebsd.org> Subject: IPFW Message-ID: <015201beb1e8$ec693740$3c29a8c0@tci.rdo> References: <4.1.19990608214103.00a11250@k9.dds.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_014F_01BEB1C7.6464F9E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have FreeBSD 2.2.7. I would like to implement NATd/IPFW on the = machine. However, I read some info lately on = http://www.freebsddiary.com. It suggest that there is a problem using = Natd/IPFW (listed below). My question is: Anyone encounter this kind = of problem? Is this problem just occurred in particular version of = FreeBSD? Or I should just go ahead to use IP Filter as the author said? Thanks Here is the text from http://www.freebsddiary.com/freebsd/firewall2.htm: deny all The default rule set within /etc/rc.firewall contains the following rule = to comply with RFC 1918: $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} However, with natd divert, this causes a problem (at least with -stable = as of 1988/08/28). When a packet goes through natd, it gets reinjected = at the start of the rules. Then the rules are seeing a packet from the = outside with a destination within RFC 1918 space (ie within = 192.168.*.*). There are two known solutions: 1.. delete the rule=20 2.. upgrade to -current=20 #1 above is not very good. #2 is the best option at present. I took a = third option, which is not recommended but does do some good. I moved = the modified rule to be above the natd divert. After a bit of thought, I've concluded that the above solution will be = sufficient for me. I believe my ISP has sufficient filtering on their = routers to prevent such attacks event reaching me. I have also been told that IP Filter doesn't have this problem. I may = just investigate that option ------=_NextPart_000_014F_01BEB1C7.6464F9E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY> <DIV><FONT size=3D2>I have FreeBSD 2.2.7. I would like to = implement=20 NATd/IPFW on the machine. However, I read some info lately on <A=20 href=3D"http://www.freebsddiary.com">http://www.freebsddiary.com</A>. It = suggest=20 that there is a problem using Natd/IPFW (listed below). My = question=20 is: Anyone encounter this kind of problem? Is this problem = just=20 occurred in particular version of FreeBSD? Or I should just go ahead to = use IP=20 Filter as the author said?</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>Thanks</FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT size=3D2>Here is the text from <A=20 href=3D"http://www.freebsddiary.com/freebsd/firewall2.htm">http://www.fre= ebsddiary.com/freebsd/firewall2.htm</A>:</FONT></DIV> <DIV><FONT size=3D2> <H3><A name=3DDefault>deny all</A></H3> <P>The default rule set within <KBD>/etc/rc.firewall</KBD> contains the=20 following rule to comply with RFC 1918:</P> <BLOCKQUOTE> <P><KBD>$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via=20 ${oif}</KBD></P></BLOCKQUOTE> <P>However, with <EM>natd</EM> divert, this causes a problem (at least = with=20 -stable as of 1988/08/28). When a packet goes through = <EM>natd</EM>, it=20 gets reinjected at the start of the rules. Then the rules are = seeing a=20 packet from the outside with a destination within RFC 1918 space (ie = within=20 192.168.*.*).</P> <P>There are two known solutions:</P> <OL> <LI>delete the rule=20 <LI>upgrade to -current </LI></OL> <P>#1 above is not very good. #2 is the best option at = present. I=20 took a third option, which is not recommended but does do some = good. I=20 moved the modified rule to be above the <EM>natd</EM> divert.</P> <P>After a bit of thought, I've concluded that the above solution will = be=20 sufficient for me. I believe my ISP has sufficient filtering on = their=20 routers to prevent such attacks event reaching me.</P> <P>I have also been told that <EM><A=20 href=3D"http://www.freebsddiary.com/freebsd/ipfilter.htm">IP = Filter</A></EM>=20 doesn't have this problem. I may just investigate that=20 option</P></FONT></DIV></BODY></HTML> ------=_NextPart_000_014F_01BEB1C7.6464F9E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?015201beb1e8$ec693740$3c29a8c0>