From owner-freebsd-security  Thu Oct 22 12:07:28 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA10622
          for freebsd-security-outgoing; Thu, 22 Oct 1998 12:07:28 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from horst.bfd.com (horst.bfd.com [12.9.219.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA10617
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 12:07:26 -0700 (PDT)
          (envelope-from ejs@bfd.com)
Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14])
	by horst.bfd.com (8.9.1/8.9.1) with ESMTP id MAA03442;
	Thu, 22 Oct 1998 12:06:17 -0700 (PDT)
	(envelope-from ejs@bfd.com)
Date: Thu, 22 Oct 1998 12:06:16 -0700 (PDT)
From: "Eric J. Schwertfeger" <ejs@bfd.com>
To: Studded <Studded@gorean.org>
cc: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG
Subject: Re: default rules in rc.firewall cause problem
In-Reply-To: <362F7BB1.71A13EF3@gorean.org>
Message-ID: <Pine.BSF.4.05.9810221201440.6098-100000@harlie.bfd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 22 Oct 1998, Studded wrote:

> 	This is about the 8th time I've seen this post of yours. You are
> missing several important aspects of this situation. First off, the
> outside interface should NEVER see traffic from RFC 1918 space, so if
> you have to modify this rule to get your system to work then your system
> is screwed. 

True for -current, but not for -stable.  In -stable (as of 19980828), when
a packet goes through natd, it gets reinjected at the start of the rules
again, so all of a sudden, the ipfw rules are seeing a packet from the
outside with a destination within RFC 1918 space.

Three solutions that I know of: 1) delete the rule 2) one that I'm working
on, involving diverting to other interfaces, or 3) upgrade to -current,
which by default puts the packet back in the queue so that it picks up
with the next rule after the divert.

I find #1 extremely distasteful, which is why I'm working on #2.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message