RE: risks of ip-forwarding, without ipf/ipfw

From: Dave Seddon (
Date: 05/17/01

Date: Thu, 17 May 2001 10:37:10 +1000
From: Dave Seddon <>
To: freebsd-security@FreeBSD.ORG

I run a FreeBSD router/firewall for my home network, sharing cable.

If I wasn't actually packet filtering, how would somebody attack my
internal machines (assuming the gateway box was secure and people
couldn't telnet, etc, into it)? Doesn't natd provide a lot of
protection anyway? Natd dynamically keeps track of outgoing
connections, then maps these back on the way back in. So if somebody
tries to start a connection inbound, it will hit the router, natd will
look through it's table, say to itself "no match" and drop the packet
(s). I assume that natd actually tracks the close of a tcp connection
and removes entries? or is this done by some sort of timeout?

Is the way to attack:
Sit on the Cable Ethernet network, address frames to target site's
ethernet address, address packets to the (guessed) internal addresses
of the target site, and set the return packet address to your box?
(assuming no firewall)

Just wondering...

Dave Seddon

-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson
Sent: Thursday, 17 May 2001 6:35
To: Crist Clark
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: risks of ip-forwarding, without ipf/ipfw

No, I'm not actually doing this, I was more curious than anything.

I use ipfilter myself.

Thanks for the good thoughts everyone.

Crist Clark wrote:
> Eric Anderson wrote:
> >
> > What are the risks of having a dual-homed machine (2 NIC's), one on
> > big bad internet and one on a home lan, with ip forwarding enabled,
> > without ipf or ipfw running?
> A.k.a. a router.
> All it means is that every machine on the home LAN must be hardened
> and treated as if it were directly connected to the Internet 'cause,
> well, it is.
> --
> Crist J. Clark Network Security
> Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or
> of this communication is strictly prohibited. If you have received
> e-mail in error, please contact
> To Unsubscribe: send mail to
> with "unsubscribe freebsd-security" in the body of the message

Eric Anderson    Centaur Technology    (512)
The idea is to die young as late as possible.
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message
Want to hear your email over the phone?
faxes+voicemail+email =
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message