From owner-freebsd-security  Thu Oct 22 13:58:24 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA29144
          for freebsd-security-outgoing; Thu, 22 Oct 1998 13:58:24 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29130
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 13:58:20 -0700 (PDT)
          (envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87])
	by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id JAA23805;
	Fri, 23 Oct 1998 09:56:46 +1300 (NZDT)
Message-Id: <199810222056.JAA23805@witch.xtra.co.nz>
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: DVL Software Limited
To: "Eric J. Schwertfeger" <ejs@bfd.com>
Date: Fri, 23 Oct 1998 09:56:57 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: default rules in rc.firewall cause problem
Reply-to: junkmale@xtra.co.nz
CC: freebsd-security@FreeBSD.ORG
References: <362F7BB1.71A13EF3@gorean.org>
In-reply-to: <Pine.BSF.4.05.9810221201440.6098-100000@harlie.bfd.com>
X-mailer: Pegasus Mail for Win32 (v3.01b)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 22 Oct 98, at 12:06, Eric J. Schwertfeger wrote:

> True for -current, but not for -stable.  In -stable (as of 19980828), when
> a packet goes through natd, it gets reinjected at the start of the rules
> again, so all of a sudden, the ipfw rules are seeing a packet from the
> outside with a destination within RFC 1918 space.
> 
> Three solutions that I know of: 1) delete the rule 2) one that I'm working
> on, involving diverting to other interfaces, or 3) upgrade to -current,
> which by default puts the packet back in the queue so that it picks up
> with the next rule after the divert.
> 
> I find #1 extremely distasteful, which is why I'm working on #2.

Hmmm, could your explanation be the cause of I'm seeing here?  And would 
the modification to the rule make sense?

$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out

It will deny all out going packets but allow incoming packets, which are what natd is effectively doing.  If 
I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent 
incoming packets pretending to be from 192.168.0.0/24.  For example:

$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}

I'm on 2.2.7 right now, and upgrading to curent isn't under consideration 
at the moment.  If the change I've made will cause other problems, then 
we'll probably have to reconsider that.

thanks Eric.

--
Dan Langille
DVL Software Limited
The FreeBSD Diary - my [mis]adventures
http://www.FreeBSDDiary.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message