by redmail.netbsd.org with SMTP; 24 Sep 1999 15:26:55 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id LAA03624
	for tech-security@netbsd.org; Fri, 24 Sep 1999 11:26:54 -0400 (EDT)
Date: Fri, 24 Sep 1999 11:26:53 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: tech-security@netbsd.org
Subject: ipfilter question / vulnerability?
Message-ID: <19990924112653.A490@acheron.middleboro.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

[I sent a copy of this to ipfilter's author, but I'm sending
 it here as well so that it'll have more eyes on it.]

Hello.

I've searched around in the ipfilter list archives, and I've seen some
discussion of this issue, but I found no solution, and I'm hoping that
you'll be able to lend me some advice.

I've got a box set up using ipf and ipnat. The internal range is the ten
net, and the outside is on MediaOne. While I can block source-routed packets
destined for 10.x.x.x, I can't figure out how to block packets that are
from outside the firewall but locally originated and that point to the ten
net.

NAT working before ipf means that I can't simply block packets bound for
10.x.x.x, and ipnat fails to work at all if IPFORWARDING is turned off in
my kernel. (I'm using NetBSD-current/i386, built recently.)

There has to be some way to achieve what I want to do here... Can you point
me in the right direction? If there's no built-in way to do this, I'll attempt
to write in the support myself, but this would seem to be something that would
have quite a bit of general value, which is why I assume that it must be
possible already, somehow.

Thank you in advance. :)

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.