RE: risks of ip-forwarding, without ipf/ipfw

From: Dave Seddon (
Date: 05/17/01

Date: Thu, 17 May 2001 10:37:10 +1000
From: Dave Seddon <>
To: freebsd-security@FreeBSD.ORG

I run a FreeBSD router/firewall for my home network, sharing cable.

If I wasn't actually packet filtering, how would somebody attack my
internal machines (assuming the gateway box was secure and people
couldn't telnet, etc, into it)? Doesn't natd provide a lot of
protection anyway? Natd dynamically keeps track of outgoing
connections, then maps these back on the way back in. So if somebody
tries to start a connection inbound, it will hit the router, natd will
look through it's table, say to itself "no match" and drop the packet
(s). I assume that natd actually tracks the close of a tcp connection
and removes entries? or is this done by some sort of timeout?

Is the way to attack:
Sit on the Cable Ethernet network, address frames to target site's
ethernet address, address packets to the (guessed) internal addresses
of the target site, and set the return packet address to your box?
(assuming no firewall)

Just wondering...

Dave Seddon

-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson
Sent: Thursday, 17 May 2001 6:35
To: Crist Clark
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: risks of ip-forwarding, without ipf/ipfw

No, I'm not actually doing this, I was more curious than anything.

I use ipfilter myself.

Thanks for the good thoughts everyone.

Crist Clark wrote:
> Eric Anderson wrote:
> >
> > What are the risks of having a dual-homed machine (2 NIC's), one on
> > big bad internet and one on a home lan, with ip forwarding enabled,
> > without ipf or ipfw running?
> A.k.a. a router.
> All it means is that every machine on the home LAN must be hardened
> and treated as if it were directly connected to the Internet 'cause,
> well, it is.
> --
> Crist J. Clark Network Security
> Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or
> of this communication is strictly prohibited. If you have received
> e-mail in error, please contact
> To Unsubscribe: send mail to
> with "unsubscribe freebsd-security" in the body of the message

Eric Anderson    Centaur Technology    (512)
The idea is to die young as late as possible.
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message
Want to hear your email over the phone?
faxes+voicemail+email =
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: At a loss figuring out if an IP is on LAN or INET
    ... What source address is in the packet? ... I'm talking to multiple peers, some inside and some outside my router. ... public internet IP to all peers, only those OUTSIDE my router will be able ...
  • Re: Packet sniffing wi-Fi-hacking neighbor (
    ... "With Kostolnik's permission, they installed a packet ... What packet sniffer would I install ... in between the router and the VDSL modem, ... The only way to see everything that transpires that goes to the Internet, the hub and sniffer on the WAN side of the router would be the best way to check the Internet traffic. ...
  • Re: NAT and Keep State IP Rule
    ... > My router is a NAT router, I can also set a number of IP rules and ... You need to understand what NAT and Stateful Packet Inspection does, ... traffic never becomes WAN traffic leaving the network out to the Internet ...
  • Re: what was this hacker tyring to do?
    ... >> I'm checking my router logs and I see some attempts to connect to my ... The destination IP of on ... > is a valid Internet Public IP and is not local to my public subnet, ... > does a router do when it sees a packet that says it wants to goto ...
  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...