From owner-freebsd-questions  Tue Jun  8 12:59:21 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from icarus.idirect.com (icarus.idirect.com [207.136.80.7])
	by hub.freebsd.org (Postfix) with ESMTP id 0B28214FB3
	for <freebsd-questions@freebsd.org>; Tue,  8 Jun 1999 12:59:17 -0700 (PDT)
	(envelope-from tMind@bigfoot.com)
Received: from eniac.idirect.ca (eniac.idirect.com [207.136.80.199])
	by icarus.idirect.com (8.9.3/8.9.3) with ESMTP id PAA21377
	for <freebsd-questions@freebsd.org>; Tue, 8 Jun 1999 15:59:16 -0400 (EDT)
Received: from gchan (fan200.fan590.com [209.250.138.200])
	by eniac.idirect.ca (8.9.3/8.9.3) with SMTP id PAA10989
	for <freebsd-questions@freebsd.org>; Tue, 8 Jun 1999 15:59:15 -0400 (EDT)
Message-ID: <015201beb1e8$ec693740$3c29a8c0@tci.rdo>
From: "Tenacious" <tMind@bigfoot.com>
To: <freebsd-questions@freebsd.org>
References: <4.1.19990608214103.00a11250@k9.dds.nl>
Subject: IPFW
Date: Tue, 8 Jun 1999 15:55:55 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_014F_01BEB1C7.6464F9E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.

------=_NextPart_000_014F_01BEB1C7.6464F9E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have FreeBSD 2.2.7.  I would like to implement NATd/IPFW on the =
machine.  However, I read some info lately on =
http://www.freebsddiary.com. It suggest that there is a problem using =
Natd/IPFW (listed below).  My question is:  Anyone encounter this kind =
of problem?  Is this problem just occurred in particular version of =
FreeBSD? Or I should just go ahead to use IP Filter as the author said?

Thanks




Here is the text from http://www.freebsddiary.com/freebsd/firewall2.htm:
deny all
The default rule set within /etc/rc.firewall contains the following rule =
to comply with RFC 1918:

  $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

However, with natd divert, this causes a problem (at least with -stable =
as of 1988/08/28).  When a packet goes through natd, it gets reinjected =
at the start of the rules.  Then the rules are seeing a packet from the =
outside with a destination within RFC 1918 space (ie within =
192.168.*.*).

There are two known solutions:

  1.. delete the rule=20
  2.. upgrade to -current=20
#1 above is not very good.  #2 is the best option at present.  I took a =
third option, which is not recommended but does do some good.  I moved =
the modified rule to be above the natd divert.

After a bit of thought, I've concluded that the above solution will be =
sufficient for me.  I believe my ISP has sufficient filtering on their =
routers to prevent such attacks event reaching me.

I have also been told that IP Filter doesn't have this problem.  I may =
just investigate that option


------=_NextPart_000_014F_01BEB1C7.6464F9E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT size=3D2>I have FreeBSD 2.2.7.&nbsp; I would like to =
implement=20
NATd/IPFW on the machine.&nbsp; However, I read some info lately on <A=20
href=3D"http://www.freebsddiary.com">http://www.freebsddiary.com</A>. It =
suggest=20
that there is a problem using Natd/IPFW (listed below).&nbsp; My =
question=20
is:&nbsp; Anyone encounter this kind of problem?&nbsp; Is this problem =
just=20
occurred in particular version of FreeBSD? Or I should just go ahead to =
use IP=20
Filter as the author said?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Thanks</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Here is the text from <A=20
href=3D"http://www.freebsddiary.com/freebsd/firewall2.htm">http://www.fre=
ebsddiary.com/freebsd/firewall2.htm</A>:</FONT></DIV>
<DIV><FONT size=3D2>
<H3><A name=3DDefault>deny all</A></H3>
<P>The default rule set within <KBD>/etc/rc.firewall</KBD> contains the=20
following rule to comply with RFC 1918:</P>
<BLOCKQUOTE>
  <P><KBD>$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via=20
  ${oif}</KBD></P></BLOCKQUOTE>
<P>However, with <EM>natd</EM> divert, this causes a problem (at least =
with=20
-stable as of 1988/08/28).&nbsp; When a packet goes through =
<EM>natd</EM>, it=20
gets reinjected at the start of the rules.&nbsp; Then the rules are =
seeing a=20
packet from the outside with a destination within RFC 1918 space (ie =
within=20
192.168.*.*).</P>
<P>There are two known solutions:</P>
<OL>
  <LI>delete the rule=20
  <LI>upgrade to -current </LI></OL>
<P>#1 above is not very good.&nbsp; #2 is the best option at =
present.&nbsp; I=20
took a third option, which is not recommended but does do some =
good.&nbsp; I=20
moved the modified rule to be above the <EM>natd</EM> divert.</P>
<P>After a bit of thought, I've concluded that the above solution will =
be=20
sufficient for me.&nbsp; I believe my ISP has sufficient filtering on =
their=20
routers to prevent such attacks event reaching me.</P>
<P>I have also been told that <EM><A=20
href=3D"http://www.freebsddiary.com/freebsd/ipfilter.htm">IP =
Filter</A></EM>=20
doesn't have this problem.&nbsp; I may just investigate that=20
option</P></FONT></DIV></BODY></HTML>

------=_NextPart_000_014F_01BEB1C7.6464F9E0--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message