From owner-freebsd-questions@freebsd.org Mon Oct 12 15:16:40 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2679EA11849 for ; Mon, 12 Oct 2015 15:16:40 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-io0-x244.google.com (mail-io0-x244.google.com [IPv6:2607:f8b0:4001:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F19FE96 for ; Mon, 12 Oct 2015 15:16:39 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by ioii196 with SMTP id i196so15295117ioi.2 for ; Mon, 12 Oct 2015 08:16:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LUk2TzWaLLLNE7YMelNgusGyoQSfs+ZEknvdrHFfToA=; b=jioPh3WuT7pNBTiYJ3jykw6s1t893kr6Ytof3R7LA9TSyiWKX2VMf78TLy25jsa86Y gTHGyajifwPtW3xcvINPfHXg88aHb7oMqueMiyUD2cvq9O58ySd9jnS92glnhXA736PX 8dP3JE7EBKyLTGkl0+dBAYaWJx+drr0s3Ei7fO4Z7J+8cM9grQ5OXsQQTdBVIRqlYaHR 2+zrERSNEREnPs7gmslPdJofoW9lp9HBI/VUemzu+I4RNp/cj9s71j90J7zMZNEwWghu ck7VQqmDP84bgzE+RJAcr2D5J3lh8UcmsAUGhrjPrwRaNTpsgZkgx7oJNQyYErGr/g3/ oqkg== MIME-Version: 1.0 X-Received: by 10.107.9.69 with SMTP id j66mr11733613ioi.40.1444662999252; Mon, 12 Oct 2015 08:16:39 -0700 (PDT) Received: by 10.79.30.197 with HTTP; Mon, 12 Oct 2015 08:16:39 -0700 (PDT) In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk> References: <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk> Date: Mon, 12 Oct 2015 08:16:39 -0700 Message-ID: Subject: Re: Are udp packets with non-routeable ip addresses valid on public network? From: Kurt Buff To: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 15:16:40 -0000 On Mon, Oct 12, 2015 at 6:55 AM, Matthew Seaman wrote: > On 2015/10/12 14:06, Ernie Luzar wrote: > >> I am receiving unsolicited inbound udp packets with a "to ip address" >> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp >> packets from that LAN computer pass through the firewall NAT as >> expected. I added a firewall rule to block that packet and their are no >> outward signs of problems with that LAN computer. >> >> On other LAN PC's that run ms/windows and facebook or yahoo are sending >> out bound udp packets with "from ip address" containing their LAN ip >> address. I bock these also without any outward signs of problems. These >> packets are not being NAT'ed like other udp packets from that LAN PC are. >> >> I though non-routeable ip addresses are invalid on the public network. >> >> Any ideas on what is occurring here? > > Do you mean you are receiving packets on the *external* interface of > your firewall with an IP number for a host in the private address space > on your internal lan? > > No, that shouldn't happen. RFC1918 addressed packets should not be > routable on the Internet. > > It sounds as if your firewall might be letting un-NAT'ed traffic through > itself for some combination of host and protocol, and you are somehow > seeing responses. Or else someone has worked out what some of your > internal addresses are and is trying to spoof your firewall -- but > they'd have to be fairly close to you in network terms to even attempt that. > > Your firewall should reject such packets -- it's good practice to drop > packets using private address space when they arrive from or depart to > public networks, and also to drop packets that arrive at an 'impossible' > interface according to the routing table. You can do that last bit > fairly easily in pf(4) by something like: > > block in log quick on $ext_if from no-route to any > block in log quick on $ext_if from urpf-failed to any > > Cheers, > > Matthew I'll go a bit further, and also recommend that your router outside your firewall, if you have one, as well as your firewall, should block all bogons, inbound and outbound: https://www.team-cymru.org/bogon-reference.html Definitely audit your firewall to make sure it isn't emitting un-NATed packets. Kurt