From owner-freebsd-security Mon Dec 13 23: 3:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 8F6421558B for ; Mon, 13 Dec 1999 23:03:21 -0800 (PST) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id RAA80866; Tue, 14 Dec 1999 17:29:28 +1030 (CST) Date: Tue, 14 Dec 1999 17:29:28 +1030 From: Mark Newton To: Pierre Chiu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why use a Firewall? Message-ID: <19991214172928.A80831@atdot.dotat.org> References: <3855E2B4.59CDD2FD@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3855E2B4.59CDD2FD@yahoo.com>; from pccb@yahoo.com on Tue, Dec 14, 1999 at 01:24:52AM -0500 X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 14, 1999 at 01:24:52AM -0500, Pierre Chiu wrote: > I don't think firewall can stop spoofed ip. > It can stop non-routable ip like (192.168.1.1), but if your ip is > 24.112.1.1 and you spoofed it as 24.118.1.1, I doubt firewall can detect > it. Of course a firewall can do that. Let's say your internal network is 192.82.222.0/24; You can prevent spoofed packets by applying a rule at your border which rejects inbound packets which claim 192.83.222.0/24 as a source. In Cisco parlance: interface serial0 ip access-group 101 in ip access-group 102 out ! access-list 101 deny ip 192.82.222.0 0.0.0.255 any access-list 101 permit ip any any access-list 102 permit ip 192.82.222.0 0.0.0.255 any access-list 102 deny ip any any These rules will prevent your users from spoofing other networks and other networks from spoofing you (but won't stop users on your networks from spoofing systems on your network). Tune to suit (e.g.: include multicast addresses if it suits your fancy, block other things which offend you, etc). - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message