[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)

To: misc@openbsd.org
Subject: Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
From: Adrian Buxton <Adrian.Buxton@team.ozemail.com.au>
Date: Thu, 27 Jun 2002 14:06:31 +1000
Cc: "'mail-lists@telus.net'" <mail-lists@telus.net>

You're right. The RFC states the range is /12, but the error actually allows
'spoofed' address as legitimate, not legitimate as spoofed. (which is
probably worse :)

172.16.0.0/16 = hosts from 172.16.0.1 - 172.16.255.254
172.16.0.0/12 = hosts from 172.16.0.1 - 172.31.255.254

Cheers,
Adrian.

-----Original Message-----
From: Richard P. Koett [mailto:mail-lists@telus.net] 
Sent: Wednesday, 26 June 2002 2:47 AM
To: misc@openbsd.org
Subject: Re: PF gateway problems.. return traffic blocked (but not if in NAT
m ode!)


> previous firewall gateways I built were running NAT and everything had 
> generally worked quite well using my firewall rules, which usually 
> look
> like:

>spoofed="{ 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16, 127.0.0.0/8 }"

Assuming that "spoofed" refers to the private address space defined in RFC
1918, you have a small typo there.

You should change "172.16.0.0/16" to "172.16.0.0/12". As is stands you are
defining almost 1 million legitimate addresses as "spoofed".

Prev by Date: Re: Honesty
Next by Date: pfctl question
Prev by thread: Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
Next by thread: Boot Floppy Creation
Index(es):
- Date
- Thread