Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Problems with natd and simple firewall
From: Stephen Montgomery-Smith (stephenmath.missouri.edu)
Date: Mon Jul 24 2000 - 13:47:12 CDT

I recently tried to get natd to work with the default
rc.firewall that comes with FreeBSD 4.1RC, and it didn't
work. I found the problem, from looking at the web site
which has a cure, but I wonder if there are other ways
to fix it.

In any case, the rc.firewall is currently seriously

Here is the setup: my external network has
net:mask =
and my internal network has
net:mask = 192.168.1/24

Now, suppose I have established a connection: to
natd changes this to to

Now a piece of tcp comes in: to via outside-interface
natd converts this to to via outside-interface

which immediately gets killed by the rule in rc.firewall:

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to via ${oif}

The web site fixes this by changing the line to:

        ${fwcmd} add deny all from any to out via ${oif}

Is this the corect way to deal with this? Does this leave the computer
open to spoofing? Is there some clever dynamic rule that could fix

Or is there some option to natd that would change to via outside-interface
to to via inside-interface

I think that the last option would be the best, and if natd does not
allow it, maybe it should be added to the program.

Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen  stephenmath.missouri.edu

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message