From ru@ucb.crimea.ua  Sun Apr 12 01:48:21 1998
Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06824
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 Apr 1998 01:48:15 -0700 (PDT)
          (envelope-from ru@ucb.crimea.ua)
Received: (from ru@localhost)
	by relay.ucb.crimea.ua (8.8.8/8.8.8) id LAA24223;
	Sun, 12 Apr 1998 11:48:05 +0300 (EEST)
	(envelope-from ru)
Message-Id: <199804120848.LAA24223@relay.ucb.crimea.ua>
Date: Sun, 12 Apr 1998 11:48:05 +0300 (EEST)
From: Ruslan Ermilov <ru@ucb.crimea.ua>
Reply-To: ru@ucb.crimea.ua
To: FreeBSD-gnats-submit@freebsd.org
Subject: /etc/rc.firewall: better RFC1918 nets protection
X-Send-Pr-Version: 3.2

>Number:         6278
>Category:       conf
>Synopsis:       /etc/rc.firewall: better RFC1918 nets protection
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 12 01:50:01 PDT 1998
>Closed-Date:    Wed Apr 15 09:41:20 PDT 1998
>Last-Modified:  Wed Apr 15 09:41:37 PDT 1998
>Originator:     Ruslan Ermilov
>Release:        FreeBSD 2.2.6-STABLE i386
>Organization:
>Environment:

FreeBSD 2.2.6-STABLE #0: Sat Apr 11 20:19:27 EEST 1998

>Description:

	There is only one half of protection of
	RFC1918 nets usage on outside interface.

>How-To-Repeat:

	See the source.

>Fix:
	
Index: rc.firewall
===================================================================
RCS file: /usr/FreeBSD-CVS/src/etc/rc.firewall,v
retrieving revision 1.6.2.6
diff -u -r1.6.2.6 rc.firewall
--- rc.firewall	1998/02/10 01:45:57	1.6.2.6
+++ rc.firewall	1998/04/12 08:28:49
@@ -140,8 +140,11 @@
 
     # Stop RFC1918 nets on the outside interface
     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
+    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
+    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
+    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
 
     # Allow TCP through if setup succeeded
     $fwcmd add pass tcp from any to any established

>Release-Note:
>Audit-Trail:

From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: ru@ucb.crimea.ua
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection 
Date: Sun, 12 Apr 1998 12:41:07 +0200

 >>Description:
 >
 >	There is only one half of protection of
 >	RFC1918 nets usage on outside interface.
 
 I think it is cheaper to add this protection with some discard routes,
 ie:
 
 	route add -net 10.0.0.0 -netmask 255.0.0.0 -reject
 	route add -net 172.16.0.0 -netmask 255.240.0.0 -reject
 	route add -net 192.168.0.0 -netmask 255.255.0.0 -reject
 	route add -net 127.0.0.0 -netmask 255.0.0.0 -reject
 
 (or use -blackhole if you prefer)
 
 --
 Poul-Henning Kamp             FreeBSD coreteam member
 phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
 "Drink MONO-tonic, it goes down but it will NEVER come back up!"
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Wed Apr 15 09:41:20 PDT 1998 
State-Changed-Why:  
committed, thanks! 
>Unformatted:
