----- Original Message -----
From: "John" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 05, 2004 2:45 PM
Subject: IPFW and NAT - blocking RFC 1918 ("unregistered") network
thatmatches my own
> I am up and running with ipfw 2 and natd, but not all is quite well.
>
> I can't figure out how to block "spoofed" packets from the outside
> that use the same RFC 1918 network as the one I'm translating to.
> When I try to put that rule on the exterior interface, it ends up
> blocking the packets after they are translated.
>
> Specifically, the network I am using falls in the 192.168.0.0/16 range.
> (I won't publish exactly which one: you only have 254 to try...)
> If, however, I put in
> ${fwcmd} add deny ip from any to 192.168.0.0/16 via ${oif}
> then I cut off my interior network entirely, due, presumably, to
> the pass through the rules after translation.
>
> I suspect that I need some combination of "in" or "recv," but I
> would like to actually UNDERSTAND what I'm doing instead of just
> trying combinations 'til it works. On the other hand, there are
> sysctl kernel parameters that might affect this behavior, or maybe
> other natd parameters - so maybe that's not even the ticket.
Your best resource is /etc/rc.firewall. Look at the "simple" configuration.
It has rules for RFC1918 nets both before and after the divert rule, and
explains why.
--
Matt Emmerton
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
