From owner-freebsd-bugs  Sun Apr 12 03:50:06 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA18257
          for freebsd-bugs-outgoing; Sun, 12 Apr 1998 03:50:06 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA18249;
          Sun, 12 Apr 1998 03:50:02 -0700 (PDT)
          (envelope-from gnats)
Date: Sun, 12 Apr 1998 03:50:02 -0700 (PDT)
Message-Id: <199804121050.DAA18249@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection 
Reply-To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR conf/6278; it has been noted by GNATS.

From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: ru@ucb.crimea.ua
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/6278: /etc/rc.firewall: better RFC1918 nets protection 
Date: Sun, 12 Apr 1998 12:41:07 +0200

 >>Description:
 >
 >	There is only one half of protection of
 >	RFC1918 nets usage on outside interface.
 
 I think it is cheaper to add this protection with some discard routes,
 ie:
 
 	route add -net 10.0.0.0 -netmask 255.0.0.0 -reject
 	route add -net 172.16.0.0 -netmask 255.240.0.0 -reject
 	route add -net 192.168.0.0 -netmask 255.255.0.0 -reject
 	route add -net 127.0.0.0 -netmask 255.0.0.0 -reject
 
 (or use -blackhole if you prefer)
 
 --
 Poul-Henning Kamp             FreeBSD coreteam member
 phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
 "Drink MONO-tonic, it goes down but it will NEVER come back up!"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message