On Thu, Jan 23, 2003 at 23:20 +0800, Dung Patrick wrote:
>
> For the egress filtering, I would only allow my firewall to send out packet only with the public IP of the firewall address. Not only dropping outgoing source address with RFC1918 address.
>
> I have a rule like this in ipfilter:
>
> block out log on dc0 from !fw_public_IP to any
>
> But I see this in my log:
> 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet )
> The ipfilter has drop/log packet before NAT. If it is after NAT, my source address will be fw_public_IP and the above block rule will be skipped.

You didn't say what other rules are there. Since you don't have
the "quick" keyword in the above rule the "block" action is just
an assumption which could be "corrected" by later rules the packet
gets passed to. I.e. this is not a final decision. Since you
specified so in your rule set. :)

Make sure you have read the excellent ipfilter HowTo, available
on the homepage. And make use of the offline test program which
tells you what it _would_ do to a certain packet when being fed
with a certain rule set (see `man ipftest`). You can even feed
this tool with pcap files or tcpdump(1) text output to kind of
replay what you have met in real life.

virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittiggmx.net

-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]