Date: Thu, 22 Oct 1998 12:06:16 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: Studded <Studded@gorean.org> Cc: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem Message-ID: <Pine.BSF.4.05.9810221201440.6098-100000@harlie.bfd.com> In-Reply-To: <362F7BB1.71A13EF3@gorean.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Oct 1998, Studded wrote: > This is about the 8th time I've seen this post of yours. You are > missing several important aspects of this situation. First off, the > outside interface should NEVER see traffic from RFC 1918 space, so if > you have to modify this rule to get your system to work then your system > is screwed. True for -current, but not for -stable. In -stable (as of 19980828), when a packet goes through natd, it gets reinjected at the start of the rules again, so all of a sudden, the ipfw rules are seeing a packet from the outside with a destination within RFC 1918 space. Three solutions that I know of: 1) delete the rule 2) one that I'm working on, involving diverting to other interfaces, or 3) upgrade to -current, which by default puts the packet back in the queue so that it picks up with the next rule after the divert. I find #1 extremely distasteful, which is why I'm working on #2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9810221201440.6098-100000>