OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Problems with natd and simple firewall
From: Stephen Montgomery-Smith (stephenmath.missouri.edu)
Date: Mon Jul 24 2000 - 13:47:12 CDT


I recently tried to get natd to work with the default
rc.firewall that comes with FreeBSD 4.1RC, and it didn't
work. I found the problem, from looking at the web site
http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw
which has a cure, but I wonder if there are other ways
to fix it.

In any case, the rc.firewall is currently seriously
deficient.

Here is the setup: my external network has
net:mask = 12.34.56.0/24
and my internal network has
net:mask = 192.168.1/24

Now, suppose I have established a connection:
192.168.1.2:4444 to 34.56.78.90:22
natd changes this to
12.34.56.78:4444 to 34.56.78.90:22

Now a piece of tcp comes in:
34.56.78.90:22 to 12.34.56.78:4444 via outside-interface
natd converts this to
34.56.78.90:22 to 192.168.1.2:4444 via outside-interface

which immediately gets killed by the rule in rc.firewall:

        # Stop RFC1918 nets on the outside interface
        ...........
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

The web site fixes this by changing the line to:

        ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif}

Is this the corect way to deal with this? Does this leave the computer
open to spoofing? Is there some clever dynamic rule that could fix
this?

Or is there some option to natd that would change
34.56.78.90:22 to 12.34.56.78:4444 via outside-interface
to
34.56.78.90:22 to 192.168.1.2:4444 via inside-interface
?

I think that the last option would be the best, and if natd does not
allow it, maybe it should be added to the program.

-- 
Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen  stephenmath.missouri.edu

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message