From owner-freebsd-questions Sat Jan 5 18:28:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id EF47937B402 for ; Sat, 5 Jan 2002 18:28:31 -0800 (PST) Received: from user-38lc2j1.dialup.mindspring.com ([209.86.10.97] helo=gohan.cjclark.org) by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16N32y-0006KK-00; Sat, 05 Jan 2002 18:28:30 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id g05IuUO02994; Sat, 5 Jan 2002 10:56:30 -0800 (PST) (envelope-from cjc) Date: Sat, 5 Jan 2002 10:56:30 -0800 From: "Crist J. Clark" To: Joe & Fhe Barbish Cc: FBSD Questions Subject: Re: How to Stop IP spoofing in ipfw Message-ID: <20020105105630.A204@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020104161354.D1205@gohan.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from barbish@a1poweruser.com on Sat, Jan 05, 2002 at 01:21:39PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jan 05, 2002 at 01:21:39PM -0500, Joe & Fhe Barbish wrote: > So are you recommending keep-state for tcp over > dynamic table using setup, established, frag? "It depends." That was just what I used in the example. Stateless packet filtering has many known issues. With a stateless packet filter, you can still host scan through a firewall. Stateless packet filters will not stop Ping O' Death and similar (known or not-yet-known) attacks. Stateless packet filters tend to leave you pretty wide open when talking about any protocol other than TCP. That said, if you are using NAT with non-registered addresses, it makes such attacks more difficult. But they are still quite possible to "near-by" attackers (e.g. if you are on an untrustd LAN, like a coaxial cable LAN, there may be some shady characters local to you, and there are _definately_ clueless people who might have their computers hijaked by those shady types) unless you remember to block such attacks, ipfw add drop ip from any to $net1:$mask1 in via $oif Before your divert(4) rule to natd(8). You can combine NAT and a stateless filter rules to get a stateful firewall (for the machines behind the firewall, but not the firewall itself). The plus for stateless filtering is that it is easier and there are less things that may break or have bugs. It typically isn't practical for the home user, but one of the best approaches is to put a stateless packet filter in front of your stateful one for a layered defense. This is often as simple as putting (stateless) access rules on an existing border router and then putting a more complex stateful firewall behind it. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message