Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jul 2000 12:48:42 -0700 (PDT)
From:      Mike Hoskins <mike@adept.org>
To:        Stephen Montgomery-Smith <stephen@math.missouri.edu>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Problems with natd and simple firewall
Message-ID:  <Pine.BSF.4.21.0007251225320.27676-100000@snafu.adept.org>
In-Reply-To: <397D4214.48E908CC@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:

> Actually there is also a rule in rc.firewall:
> 
>          ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
> which the web site changed to
>          ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif}
> I found that this change was unnecessary.

Unnecessary, and perhaps unwanted if your LAN isn't fully trusted.

The first rule will stop packets with source addresses of 192.168.0.0/16
going anywhere (in or out) on the outside interface.  This effectively
stops some DoS attacks AND disallows RFC1918 spoofing from your network.

The second rule stops inbound (DoS) packets, but 'trusts' your LAN by
allowing outbound (spoofed) packets.  If your LAN is small and 'trusted',
that may be okay, otherwise...  You probably don't want to willingly make
your network the source of a DoS.

> But if you think about it logically, that change should be necessary.

I'm not sure if this is logical...  But here's my view of a packet sent
from an inside host to an outside host (and everyone, please correct me
if this is wrong, like I said, I've only been toying with ipfw for a
couple weeks now):

* from inside machine for outside machine (sent to inside IP/interface,
  which is the inside/private network's gw, 'in via iif')
* from outside ip to outside machine (divert, sent 'out via oif')
* delivered to outside machine

That would seem to describe the packet's path as well as why the above
rules behave as they do.

The ruleset I pasted earlier (and am using now) catches inbound RFC1918
addresses, and allows everything out (check/keep-state).  This is because
my home LAN consists of only seven hosts at the moment (all touched only
by me and my SO).  If this was a publicly used LAN, I'd add specific
deny/log rules for RFC1918 nets from inside hosts to stop and log DoS
attempts.

-mrh



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007251225320.27676-100000>