Date: Sat, 31 Jan 2004 14:05:33 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: "J.D. Bronson" <jbronson@lonebandit.com> Cc: freebsd-questions@freebsd.org Subject: Re: tcp blackhole and ident Message-ID: <20040131140533.GA6295@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> References: <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk> <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 31, 2004 at 07:46:39AM -0600, J.D. Bronson wrote: > At 07:39 AM 1/31/2004, Matthew Seaman wrote: > >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP > >reject whenever it detects an incoming connection on port 113 as part > >of your firewall configuration. Eg. something like: > > > > 01600 reset tcp from any to me dst-port 113 setup > Thanks...but I have quite a robust Cisco firewall in place ahead of the= =20 > freebsd machines...so I dont -need- to run ipfw...Hmmm... >=20 > Actually since the Cisco is dropping any packets already, I wonder if=20 > 'blackhole' is simply a stupid idea in the first place... Well, gee. I'm sure Cisco PIX is capable of sending a 'reject' rather than just dropping the packet. Even so, don't dismiss running packet filters locally on your FreeBSD boxes. Think "defense in depth" -- or how many things have to go wrong until there are bad consequences. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAG7YtdtESqEQa7a0RAsRkAJ4wAXaG+LrpkpK4s8mGcjHOLn6wpwCeJ7l0 i1WupW/aVFJ++FbYmE7P24s= =U191 -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040131140533.GA6295>