OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with natd and simple firewall
From: Shaun Jurrens (shamzfreenix.no)
Date: Tue Jul 25 2000 - 04:35:41 CDT

Hi Guys,

I see (sorry, just via the website) that you have run upon the same problem as I
did, when I started using natd and ipfw with rules. There was a suggested fix
back in May on -net, iirc and perhaps a PR, but no one seems to have committed
the fix (??). In any case, since the divert routines re-inject the packets in
to the firewall, you will kill your own nat'd packets. One could probably fix
this, but the suggested fix in May worked for me. One really just needed to
search the lists (and bite your teeth at the dodgy results, please fix that
script). I will paste my workaround. I acutally have a setup that almost
anyone could use, with state functions, etc. I almost thought about submitting
it. Anyway, just add a small direction tag to the rules to stop the undesired
behaviour.

# These are supposed to stop traffic from supposed RFC1918 nets

$fwcmd add 2200 deny all from 192.168.0.0:255.255.0.0 to any in via ${exif}
$fwcmd add 2300 deny all from any to 192.168.0.0:255.255.0.0 out via ${exif}
$fwcmd add 2400 deny all from 172.16.0.0:255.240.0.0 to any in via ${exif}
$fwcmd add 2500 deny all from any to 172.16.0.0:255.240.0.0 out via ${exif}
$fwcmd add 2600 deny all from 10.0.0.0:255.0.0.0 to any in via ${exif}
$fwcmd add 2700 deny all from any to 10.0.0.0:255.0.0.0 out via ${exif}

(You'll notice the addition of "in" and "out" to the rules. rc.firewall as is
is not even usable with natd. It should be fixed/patched. I suggest using
these for now) 

-- 

Yours truly,

Shaun D. Jurrens
shaunshamz.net

0860 Oslo	
Norway

ircnet nick: shamz #chillout #unix #freebsd

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message