Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Oct 1998 09:56:57 +1300
From:      "Dan Langille" <junkmale@xtra.co.nz>
To:        "Eric J. Schwertfeger" <ejs@bfd.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: default rules in rc.firewall cause problem
Message-ID:  <199810222056.JAA23805@witch.xtra.co.nz>
In-Reply-To: <Pine.BSF.4.05.9810221201440.6098-100000@harlie.bfd.com>
References:  <362F7BB1.71A13EF3@gorean.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 22 Oct 98, at 12:06, Eric J. Schwertfeger wrote:

> True for -current, but not for -stable.  In -stable (as of 19980828), when
> a packet goes through natd, it gets reinjected at the start of the rules
> again, so all of a sudden, the ipfw rules are seeing a packet from the
> outside with a destination within RFC 1918 space.
> 
> Three solutions that I know of: 1) delete the rule 2) one that I'm working
> on, involving diverting to other interfaces, or 3) upgrade to -current,
> which by default puts the packet back in the queue so that it picks up
> with the next rule after the divert.
> 
> I find #1 extremely distasteful, which is why I'm working on #2.

Hmmm, could your explanation be the cause of I'm seeing here?  And would 
the modification to the rule make sense?

$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out

It will deny all out going packets but allow incoming packets, which are what natd is effectively doing.  If 
I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent 
incoming packets pretending to be from 192.168.0.0/24.  For example:

$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}

I'm on 2.2.7 right now, and upgrading to curent isn't under consideration 
at the moment.  If the change I've made will cause other problems, then 
we'll probably have to reconsider that.

thanks Eric.

--
Dan Langille
DVL Software Limited
The FreeBSD Diary - my [mis]adventures
http://www.FreeBSDDiary.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810222056.JAA23805>