Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Oct 2015 14:55:32 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: Are udp packets with non-routeable ip addresses valid on public network?
Message-ID:  <561BBBD4.8090708@infracaninophile.co.uk>
In-Reply-To: <561BB03D.1060104@gmail.com>
References:  <561BB03D.1060104@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015/10/12 14:06, Ernie Luzar wrote:

> I am receiving unsolicited inbound udp packets with a "to ip address"
> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
> packets from that LAN computer pass through the firewall NAT as
> expected. I added a firewall rule to block that packet and their are no=

> outward signs of problems with that LAN computer.
>=20
> On other LAN PC's that run ms/windows and facebook or yahoo are sending=

> out bound udp packets with "from ip address" containing their LAN ip
> address. I bock these also without any outward signs of problems. These=

> packets are not being NAT'ed like other udp packets from that LAN PC ar=
e.
>=20
> I though non-routeable ip addresses are invalid on the public network.
>=20
> Any ideas on what is occurring here?

Do you mean you are receiving packets on the *external* interface of
your firewall with an IP number for a host in the private address space
on your internal lan?

No, that shouldn't happen.  RFC1918 addressed packets should not be
routable on the Internet.

It sounds as if your firewall might be letting un-NAT'ed traffic through
itself for some combination of host and protocol, and you are somehow
seeing responses.  Or else someone has worked out what some of your
internal addresses are and is trying to spoof your firewall -- but
they'd have to be fairly close to you in network terms to even attempt th=
at.

Your firewall should reject such packets -- it's good practice to drop
packets using private address space when they arrive from or depart to
public networks, and also to drop packets that arrive at an 'impossible'
interface according to the routing table.  You can do that last bit
fairly easily in pf(4) by something like:

block in log quick on $ext_if from no-route to any
block in log quick on $ext_if from urpf-failed to any

	Cheers,

	Matthew




--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJWG7vdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn+VgP/jMK2RWi7IZ8DswPYvs/Nyew
xxybvCSVvkaat01fEugwLXM+PF7C/9JtS92HSauC15tvOnZkQtR/O5297HsyFJtg
2D2jX2Cb7NgBhGE8qAoLkFkkMcVOPJpZExGnnzpsYgo5U9hmaOuu+32p2/o/bgrA
ne1HXekDSAGSJyu55svnHniLZzQtz+56ZMNAVQuBV6jdvh+INV8bqg0Q7wkfzFOQ
MdH4cQhZEhHjzA1AZtFzFXKkVVhMS9bhUh8ihSAhqtS7ZubdylF+cPXhRmgE95Im
RjrIXrWzNegkCTzubEBy6h6wvyc9xHTCihB0r8Eo9mifUg2NVaADAI2ggDGx06k5
DQky/Y1u7Dy67IBU6aPL/4C577SCbYtidSMR1joerzqNKR3UHJfs6rOcKDxJLMAC
yx0IW/Op6Kc5LhfGcajmT/zna4IktUkpGfZTLbH76vUuphWVUfgzR/NxWsFbFaAV
WLPdJ/tLSGFjYDEfLddU3g7hwfTpHjDg5X+oyFz+gEHMHs0oP6RwL+EhxSkvIwYa
iJL99+x7JP/BkIH3kC+C3eseTOP6UlLQOuk3uJ9dVx+INuqZBZKNQe6RBqNx/Whd
Lh6EP0Cm4PDNzqONPgIy7ccVoF6o3vRpqEhDluoidvds/JVek7SY0Lk+mYzDaNSP
7mgXU4FdEp50Op7TiNeS
=hlOT
-----END PGP SIGNATURE-----

--qqsTWNlu9XInexElX1qVqWHhTuQQWdlPQ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?561BBBD4.8090708>