Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Here is an item that Derek may want to address at his talk. This message concerns net 44, which has special security considerations for legal reasons, but the issue affects anyone doing IP masquerading. This sort of problem could make someone tear their hair out for a couple of weeks -- or trace through the networking source code, which would amount to the same thing. -- Mike * Forwarded (from: Netmail) by Mike Bilow using BilowMail0.2. * Original dated: Mar 12 '97, 10:21 From: Heikki Hannikainen <hessu at pspt.fi> To: Giles Warham <giles at g7tgr.demon.co.uk> On Tue, 11 Mar 1997, Giles Warham wrote: > I used to configure my firewall to do masq. on all forwarding, but have > since found this to cause problems when playing with ipip tunnels - i want > the machines on my subnet 192.168.2.* to be accessible on g7szb's network > 10.0.0.*. I have tinkered with my firewall to make it only masq packets > forwarded from my ethernet, but ran into a problem... This isn't actually a solution for your problem, but you and others might be interested: There's an unexpected feature in the implementation of the firewall and the tunnel devices. An IP packet is checked against the forwarding firewall rules before it is sent to the tunnel device. But the tunnel device sends out the encap packets via the ip forwarding function, which checks the resulting packet against the forwarding rules again. This struck me, when i was trying to use the forwarding rules to block anything except amprnet packets: /sbin/ipfwadm -F -p reject /sbin/ipfwadm -F -i accept -S 44.0.0.0/8 -D 44.0.0.0/8 Which obviously blocked the ip packets sent by the ipip tunnel device. Quite unexpected, before looking at the source code. Of course, one can come around this one by inserting a rule: /sbin/ipfwadm -F -i accept -S ethernet-interface-address -D 0.0.0.0/0 This 'feature' could be surprising you or your masquerading rules... and will probably surprise lots of people running amprnet gateways using radio. --- < Heikki Hannikainen <> ax.25: oh7lzb at oh7rba.#kuo.fin.eu > < Internet: hessu at pspt.fi <> Amprnet: oh7lzb at gw.oh7rba.ampr.org >
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |