Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Oct 2015 08:16:39 -0700
From:      Kurt Buff <kurt.buff@gmail.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: Are udp packets with non-routeable ip addresses valid on public network?
Message-ID:  <CADy1Ce4AHLewzix6D6UC_sukWvqqi4TNd5=HEEGOAzFQcxC2Pw@mail.gmail.com>
In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk>
References:  <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 12, 2015 at 6:55 AM, Matthew Seaman
<m.seaman@infracaninophile.co.uk> wrote:
> On 2015/10/12 14:06, Ernie Luzar wrote:
>
>> I am receiving unsolicited inbound udp packets with a "to ip address"
>> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
>> packets from that LAN computer pass through the firewall NAT as
>> expected. I added a firewall rule to block that packet and their are no
>> outward signs of problems with that LAN computer.
>>
>> On other LAN PC's that run ms/windows and facebook or yahoo are sending
>> out bound udp packets with "from ip address" containing their LAN ip
>> address. I bock these also without any outward signs of problems. These
>> packets are not being NAT'ed like other udp packets from that LAN PC are.
>>
>> I though non-routeable ip addresses are invalid on the public network.
>>
>> Any ideas on what is occurring here?
>
> Do you mean you are receiving packets on the *external* interface of
> your firewall with an IP number for a host in the private address space
> on your internal lan?
>
> No, that shouldn't happen.  RFC1918 addressed packets should not be
> routable on the Internet.
>
> It sounds as if your firewall might be letting un-NAT'ed traffic through
> itself for some combination of host and protocol, and you are somehow
> seeing responses.  Or else someone has worked out what some of your
> internal addresses are and is trying to spoof your firewall -- but
> they'd have to be fairly close to you in network terms to even attempt that.
>
> Your firewall should reject such packets -- it's good practice to drop
> packets using private address space when they arrive from or depart to
> public networks, and also to drop packets that arrive at an 'impossible'
> interface according to the routing table.  You can do that last bit
> fairly easily in pf(4) by something like:
>
> block in log quick on $ext_if from no-route to any
> block in log quick on $ext_if from urpf-failed to any
>
>         Cheers,
>
>         Matthew


I'll go a bit further, and also recommend that your router outside
your firewall, if you have one, as well as your firewall, should block
all bogons, inbound and outbound:
https://www.team-cymru.org/bogon-reference.html

Definitely audit your firewall to make sure it isn't emitting un-NATed packets.

Kurt



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce4AHLewzix6D6UC_sukWvqqi4TNd5=HEEGOAzFQcxC2Pw>