COMMAND
	    ppp
SYSTEMS AFFECTED
	    FreeBSD 3.5, 3.5.1 prior to the 2000-10-30, 4.1, 4.1.1 prior to the  2000-10-30
PROBLEM
	    Following is based on a FreeBSD Sec Advisory FreeBSD-SA-00:70  and
	    it was  originally found  by Robin  Melville.   The ppp(8) utility
	    includes network address translation functionality for translating
	    between public and private IP address ranges.  It uses the libalias
	    library to perform translation services.
	    The "nat  deny_incoming" command  is documented  as "refusing  all
	    incoming connections" and is commonly used as a simple  "firewall"
	    to  prevent  outside  users  from  connecting  to  services on the
	    internal  network.   However  the  behaviour  of  the ppp code was
	    changed  in  the  4.x  and  3.x  branches  prior to the release of
	    FreeBSD 4.1  and 3.5  (on 2000-06-05  and 2000-06-03 respectively)
	    to allow  passing of  packets which  are not  understood, such  as
	    IPSEC  packets  and  other  IP  protocol  traffic  not  explicitly
	    recognised by the code as being an "incoming connection  attempt".
	    While this was  arguably incorrect behaviour  in itself, the  code
	    also   incorrectly   allowed   through   ALL   incoming   traffic,
	    effectively turning "deny_incoming" into a no-op.
	    Thus, users who are  using the deny_incoming functionality  in the
	    expectation that it  provides a "deny  by default" firewall  which
	    only allows through  packets known to  be part of  an existing NAT
	    session,  are  in  fact  allowing  other  types  of unsolicited IP
	    traffic into their internal network.
	    The behaviour of ppp was corrected to only allow incoming  packets
	    which are known to be part of a valid NAT session, which gives the
	    desired packet filtering behaviour in the general case.   Outgoing
	    IP  traffic  which  is  not  understood  by  libalias  (such as an
	    outgoing IPSEC packet part of a  VPN) will cause a NAT session  to
	    be  established  which  will  allow  incoming  packets  with   the
	    corresponding  source  and  destination  IP addresses and protocol
	    number to pass, but all others to be denied.
	    This behaviour may  be sufficient for  the security needs  of many
	    users, although users with  advanced filtering or security  policy
	    requirements are advised to use a more configurable packet  filter
	    such as those provided by  ipfw(8) or ipf(8) which can  meet their
	    needs.
	    The following released versions  of FreeBSD are the  only releases
	    vulnerable to this problem: 3.5, 3.5.1, 4.1, 4.1.1.  It was  fixed
	    in  the  4.1.1-STABLE  branch  prior  to  the  release  of FreeBSD
	    4.2-RELEASE.
	    Remote users can  cause incoming traffic  which is not  part of an
	    existing NAT session to pass the NAT gateway, which may constitute
	    a breach of security policy.
SOLUTION
	    Use a  true packet  filter such  as ipfw(8)  or ipf(8)  on the PPP
	    gateway  to  deny  incoming  traffic  according  to  the   desired
	    security policy.
	    Patch:
	
	        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch
	        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch.asc
	
	    Source:
	
	    Index: nat_cmd.c
	    ===================================================================
	    RCS file: /mnt/ncvs/src/usr.sbin/ppp/nat_cmd.c,v
	    retrieving revision 1.49
	    retrieving revision 1.50
	    diff -u -r1.49 -r1.50
	    --- nat_cmd.c	2000/07/11 22:11:31	1.49
	    +++ nat_cmd.c	2000/10/30 18:02:01	1.50
	    @@ -421,7 +421,11 @@
	           break;
	         case PKT_ALIAS_IGNORED:
	    -      if (log_IsKept(LogTCPIP)) {
	    +      if (PacketAliasSetMode(0, 0) & PKT_ALIAS_DENY_INCOMING) {
	    +        log_Printf(LogTCPIP, "NAT engine denied data:\n");
	    +        m_freem(bp);
	    +        bp = NULL;
	    +      } else if (log_IsKept(LogTCPIP)) {
	             log_Printf(LogTCPIP, "NAT engine ignored data:\n");
	             PacketCheck(bundle, MBUF_CTOP(bp), bp->m_len, NULL, NULL, NULL);
	           }