Date: Fri, 09 Apr 1999 15:21:16 +0400 (MSD) From: "Sergey S. Kosyakov" <ks@Chg.RU> To: Darren Henderson <darren@jasper.somtel.com> Cc: security@FreeBSD.ORG Subject: RE: ipfw question regarding RFC1918 addresses Message-ID: <XFMail.990409152116.ks@chg.ru> In-Reply-To: <Pine.BSF.4.10.9904082336450.18705-100000@jasper.somtel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Where is the place for divert rules? Check carefully, what do you want to do? And one more - the better rules will be: add deny all from 192.168.0.0/16 to any in recv ppp0 ... other deny rules ... add divert _port_ ip from any to any via _external_if_0_ add allow ip from any to any And start natd with "-u" flag. Sergey. On 09-Apr-99 Darren Henderson wrote: > > Running ipfw and natd. I use the class A RFC1918 address for the internal > network. > > The way things are set up ipfw first sends everything to divert, allows > all localhost stuff then disallows the RFC1918 stuff with > > add deny all from 192.168.0.0:255.255.0.0 to any via ppp0 > add deny all from any to 192.168.0.0:255.255.0.0 via ppp0 > add deny all from 172.16.0.0:255.240.0.0 to any via ppp0 > add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0 > add deny all from 10.0.0.0:255.0.0.0 to any via ppp0 >#add deny all from any to 10.0.0.0:255.0.0.0 via ppp0 > > (There are a handful of additional rules). Notice that last line is > commented out. If I include that natd appears to stop working. I'm > guessing that divert is converting an incomming packet to 10.0.0.x and its > then passing through my ruleset with its new address and being disallowed. > The simple solution would seem to be to move the RFC1918 stuff above the > divert rule... is that the best solution however? Have I even come close? > > The goal being to block 10.0.0.0/8 comming into the machine... > > > ______________________________________________________________________ > Darren Henderson darren@jasper.somtel.com > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 09-Apr-99 Time: 15:14:50 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990409152116.ks>