Are udp packets with non-routeable ip addresses valid on public network?
Kurt Buff
kurt.buff at gmail.com
Mon Oct 12 15:16:40 UTC 2015
On Mon, Oct 12, 2015 at 6:55 AM, Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
> On 2015/10/12 14:06, Ernie Luzar wrote:
>
>> I am receiving unsolicited inbound udp packets with a "to ip address"
>> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
>> packets from that LAN computer pass through the firewall NAT as
>> expected. I added a firewall rule to block that packet and their are no
>> outward signs of problems with that LAN computer.
>>
>> On other LAN PC's that run ms/windows and facebook or yahoo are sending
>> out bound udp packets with "from ip address" containing their LAN ip
>> address. I bock these also without any outward signs of problems. These
>> packets are not being NAT'ed like other udp packets from that LAN PC are.
>>
>> I though non-routeable ip addresses are invalid on the public network.
>>
>> Any ideas on what is occurring here?
>
> Do you mean you are receiving packets on the *external* interface of
> your firewall with an IP number for a host in the private address space
> on your internal lan?
>
> No, that shouldn't happen. RFC1918 addressed packets should not be
> routable on the Internet.
>
> It sounds as if your firewall might be letting un-NAT'ed traffic through
> itself for some combination of host and protocol, and you are somehow
> seeing responses. Or else someone has worked out what some of your
> internal addresses are and is trying to spoof your firewall -- but
> they'd have to be fairly close to you in network terms to even attempt that.
>
> Your firewall should reject such packets -- it's good practice to drop
> packets using private address space when they arrive from or depart to
> public networks, and also to drop packets that arrive at an 'impossible'
> interface according to the routing table. You can do that last bit
> fairly easily in pf(4) by something like:
>
> block in log quick on $ext_if from no-route to any
> block in log quick on $ext_if from urpf-failed to any
>
> Cheers,
>
> Matthew
I'll go a bit further, and also recommend that your router outside
your firewall, if you have one, as well as your firewall, should block
all bogons, inbound and outbound:
https://www.team-cymru.org/bogon-reference.html
Definitely audit your firewall to make sure it isn't emitting un-NATed packets.
Kurt
More information about the freebsd-questions
mailing list