Are udp packets with non-routeable ip addresses valid on public network?

Matthew Seaman m.seaman at
Mon Oct 12 13:55:57 UTC 2015

On 2015/10/12 14:06, Ernie Luzar wrote:

> I am receiving unsolicited inbound udp packets with a "to ip address"
> [] of a computer on my LAN. Is this valid? Other tcp/udp
> packets from that LAN computer pass through the firewall NAT as
> expected. I added a firewall rule to block that packet and their are no
> outward signs of problems with that LAN computer.
> On other LAN PC's that run ms/windows and facebook or yahoo are sending
> out bound udp packets with "from ip address" containing their LAN ip
> address. I bock these also without any outward signs of problems. These
> packets are not being NAT'ed like other udp packets from that LAN PC are.
> I though non-routeable ip addresses are invalid on the public network.
> Any ideas on what is occurring here?

Do you mean you are receiving packets on the *external* interface of
your firewall with an IP number for a host in the private address space
on your internal lan?

No, that shouldn't happen.  RFC1918 addressed packets should not be
routable on the Internet.

It sounds as if your firewall might be letting un-NAT'ed traffic through
itself for some combination of host and protocol, and you are somehow
seeing responses.  Or else someone has worked out what some of your
internal addresses are and is trying to spoof your firewall -- but
they'd have to be fairly close to you in network terms to even attempt that.

Your firewall should reject such packets -- it's good practice to drop
packets using private address space when they arrive from or depart to
public networks, and also to drop packets that arrive at an 'impossible'
interface according to the routing table.  You can do that last bit
fairly easily in pf(4) by something like:

block in log quick on $ext_if from no-route to any
block in log quick on $ext_if from urpf-failed to any



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list