From owner-freebsd-security  Thu Oct 14  2: 5:56 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
	by hub.freebsd.org (Postfix) with ESMTP id EF40D14BFC
	for <freebsd-security@FreeBSD.ORG>; Thu, 14 Oct 1999 02:05:51 -0700 (PDT)
	(envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA03026;
	Thu, 14 Oct 1999 02:04:52 -0700 (PDT)
Message-ID: <19991014020452.A2240@best.com>
Date: Thu, 14 Oct 1999 02:04:52 -0700
From: "Jan B. Koum " <jkb@best.com>
To: Ollivier Robert <roberto@keltia.freenix.fr>,
	FreeBSD Security ML <freebsd-security@FreeBSD.ORG>
Subject: Re: anti-spoofing
References: <10882.991003@cityline.ru> <19991004001028.A1795@keltia.freenix.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19991004001028.A1795@keltia.freenix.fr>; from Ollivier Robert on Mon, Oct 04, 1999 at 12:10:28AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


[sorry about getting here few days late -- way WAY behind on my email]

I think pepole should be blocking the following in addition to rfc1918:


!see http://www.ietf.org/internet-drafts/draft-manning-dsua-01.txt
 deny   ip host 0.0.0.0 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
! example.{com|net}, DHCP default and Multicast
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 0.15.255.255 any log


Above is from my cisco router. I'd say first two lines are probably more
important then last three.

-- Yan


On Mon, Oct 04, 1999 at 12:10:28AM +0200, Ollivier Robert <roberto@keltia.freenix.fr> wrote:
> According to Dmitriy Bokiy:
> > Where can I find _the complete_ list of addresses to be blocked?
> 
> RFC-1918.
> 
> It includes the following networks:
> 
>         10.0.0.0/8      (in old pre-CIDR world, a A-class network)
>         172.16.0.0/12   (in old pre-CIDR world, 16 B-class networks)
>         192.168.0.0/16  (in old pre-CIDR world, 256 C-class networks).
> 
> Don't forget to refuse your own prefixes on your incoming interface... That
> is, if you have a.b.c.d/n, you need to refuse this prefix on the incoming
> interface of your router.
> -- 
> Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep  9 00:20:51 CEST 1999
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message