Date: Mon, 17 Apr 2000 13:20:52 +0100 From: Brian Somers <brian@Awfulhak.org> To: Anders Nordby <anders@fix.no> Cc: freebsd-ipfw@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: Closing incoming access to private (and other) networks with ipfw (and running natd) Message-ID: <200004171220.NAA16155@hak.lan.Awfulhak.org> In-Reply-To: Message from Anders Nordby <anders@fix.no> of "Sun, 16 Apr 2000 20:55:28 %2B0200." <20000416205528.F20667@totem.fix.no>
next in thread | previous in thread | raw e-mail | index | archive | help
The default (despite the libalias documentation, but in line with the
natd documentation) behaviour when receiving new traffic bound for
the internal network(s) *used* to be to let it through. This could
be overridden with PacketAliasSetTarget() (-target_address to natd).
*now* (in -stable & -current), PacketAliasSetTarget(INADDR_ANY)
behaves as before and PacketAliasSetTarget(INADDR_NONE) goes to the
alias address. The default is INADDR_NONE.
Either way, if you ``-target_address 1.2.3.4'' where 1.2.3.4 is your
alias address, you should effectively block connections from outside.
> I'm not really sure where I should ask this question, since it's (at least
> to me) both natd and ipfw related. I'm building a firewall with three
> network cards (3Com xl ones), that routes both public and private networks
> to and from the Internet. Natd works -- NICs on the segment routed
> directly to the Internet sees traffic from NICs on private networks as if
> it came from the IP of the NIC on the firewall on the same segment.
>
> Now, my problem is not routing/forwarding on the firewall, nor network
> address translation. I need to prevent incoming access to private networks
> through the firewall (and be sure it really works :-)). I've tried
> configuring natd with deny_incoming, but I can still ping IPs on private
> networks through xl0 (which is the NIC on the Firewall routed directly to
> the Internet). Now, that might be due to me using an extra alias on xl0
> and routing through it. But I need to be able to block access from one
> network to the other, and still be able to access the one network from the
> other (and receive response to tcp/udp/icmp back with the same
> protocol). I've tried accomplishing this with stuff like ipfw add n deny
> all from any to 172.n.n.n in via xl0 and by using the
> keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no
> luck. :/ Either all traffic is denied (and I don't get replies back on
> requests which goes the legal permitted way), or all traffic (including
> unwanted) goes through. Does anyone have a solution for this?
>
> Any help appreciated -- examples, ideas, whatever.
>
> Cheers.
>
> --
> Anders.
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004171220.NAA16155>