Re: Egress filtering

From: Fernando Gleiser (fgleiser@cactus.fi.uba.ar)
Date: 01/23/03

• Next message: Martin McCormick: "Re: Limiting icmp unreach response from 231 to 200 packets per second"
• Previous message: Dung Patrick: "Egress filtering"
• In reply to: Dung Patrick: "Egress filtering"
• Next in thread: Gerhard Sittig: "Re: Egress filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Jan 2003 15:39:04 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: Dung Patrick <dkt@digitalme.com>

On Thu, 23 Jan 2003, Dung Patrick wrote:

> Hello,
>
> For the egress filtering, I would only allow my firewall to send out
> packet only with the public IP of the firewall address. Not only dropping
> outgoing source address with RFC1918 address.
>
> I have a rule like this in ipfilter:
>
> block out log on dc0 from !fw_public_IP to any
>
> But I see this in my log:
> 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet )
> The ipfilter has drop/log packet before NAT. If it is after NAT, my source
> address will be fw_public_IP and the above block rule will be skipped.

Ipfilter always sees the real IP. That is it does filtering before NAT
for outgoing packets and NAT before filtering for incoming ones.

                        Fer

>
> Any suggestion?
>
> Regards,
> Patrick
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Martin McCormick: "Re: Limiting icmp unreach response from 231 to 200 packets per second"
• Previous message: Dung Patrick: "Egress filtering"
• In reply to: Dung Patrick: "Egress filtering"
• Next in thread: Gerhard Sittig: "Re: Egress filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: NAT is not a mechanism for securing a network.. but.. HELP! ... For years I have heard people claim that NAT could be circumvented ... > packet is routed. ... but the only outside network I have access to right now ... > Firewall is a term, most people use other than it was intended. ... (comp.security.firewalls) Re: NAT vs. True Firewalls ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ... (comp.security.firewalls) Re: NAT vs. True Firewalls ... > not just mean packet filter. ... A firewall can be made up of one or more ... > components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as ... (comp.security.firewalls) [fw-wiz] Checkpoint and RTSP NAT ... The clients are behind a Checkpoint NGX firewall doing NAT. ... Capturing packets i saw that the NAT in the Checkpoint box is the problem. ... packet from server when de-NATing the packet: ... Did anyone knows if Checkpoint NGX can be awareness of RTSP when using NAT, ... (Firewall-Wizards) Re: TFTP, NAT ... With NAT yes, but behind a firewall, you have to have a very good reason. ... > was the destination of the UDP packet that caused the entry to be created. ... (comp.os.linux.networking)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint