Date: Thu, 22 Oct 1998 22:43:13 +0200 From: sthaug@nethelp.no To: Studded@gorean.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem Message-ID: <8997.909088993@verdi.nethelp.no> In-Reply-To: Your message of "Thu, 22 Oct 1998 11:38:41 -0700" References: <362F7BB1.71A13EF3@gorean.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> First off, the
> outside interface should NEVER see traffic from RFC 1918 space, so if
> you have to modify this rule to get your system to work then your system
> is screwed.
Unfortunately, there's plenty of traffic out there with RFC 1918
addresses. From one of the nearby routers here:
gw> sh access-list 104
Extended IP access list 104
...
deny ip 10.0.0.0 0.255.255.255 any (2161 matches)
deny ip 172.16.0.0 0.15.255.255 any (5942 matches)
deny ip 192.168.0.0 0.0.255.255 any (10313 matches)
...
- There are plenty of ISPs using RFC 1918 addresses for their internal
links (bad idea!), which results in these addresses being visible as
source addresses when you run traceroute etc.
- There are plenty of installations using some form of RFC 1918 for
their internal network, without sufficient filtering. This results in
RFC 1918 destination addresses being visible externally - until they
reach a default free router, where they are of course dropped in the
bit bucket.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8997.909088993>