Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 31 Jan 2004 14:05:33 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "J.D. Bronson" <jbronson@lonebandit.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: tcp blackhole and ident
Message-ID:  <20040131140533.GA6295@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com>
References:  <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk> <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 31, 2004 at 07:46:39AM -0600, J.D. Bronson wrote:
> At 07:39 AM 1/31/2004, Matthew Seaman wrote:

> >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP
> >reject whenever it detects an incoming connection on port 113 as part
> >of your firewall configuration.  Eg. something like:
> >
> >    01600 reset tcp from any to me dst-port 113 setup

> Thanks...but I have quite a robust Cisco firewall in place ahead of the=
=20
> freebsd machines...so I dont -need- to run ipfw...Hmmm...
>=20
> Actually since the Cisco is dropping any packets already, I wonder if=20
> 'blackhole' is simply a stupid idea in the first place...

Well, gee.  I'm sure Cisco PIX is capable of sending a 'reject' rather
than just dropping the packet.  Even so, don't dismiss running packet
filters locally on your FreeBSD boxes.  Think "defense in depth" -- or
how many things have to go wrong until there are bad consequences.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAG7YtdtESqEQa7a0RAsRkAJ4wAXaG+LrpkpK4s8mGcjHOLn6wpwCeJ7l0
i1WupW/aVFJ++FbYmE7P24s=
=U191
-----END PGP SIGNATURE-----

--u3/rZRmxL6MmkK24--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040131140533.GA6295>