From owner-freebsd-security Mon Jan 24 12:21:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 82B8715076 for ; Mon, 24 Jan 2000 12:21:27 -0800 (PST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by vinyl.sentex.ca (8.9.3/8.9.3) with SMTP id PAA36581 for ; Mon, 24 Jan 2000 15:21:22 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <3.0.5.32.20000124151825.01c3d100@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 24 Jan 2000 15:18:25 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: more complete ipfw rules Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org With all the recent talk of flooding etc, I decided to go over my ipfw rules on my two border routers to a) make sure I am not letting in things I dont need, and b) to be a good net citizen and not allow source addresses to leave my network that dont belong here. With ${oif} being my outside interface, I had been using that stuff in # Stop RFC1918 nets on the outside interface But what about multicast addresses ? I am not running any multicast applications. Should there not also be $fwcmd add deny all from 224.0.0.0/8 to any via ${oif} and I was also wondering about $fwcmd add deny all from 0.0.0.0/8 to any via ${oif} $fwcmd add deny all from 255.0.0.0/8 to any via ${oif} and I dont want outside connections with a source address of the loopback $fwcmd add deny all from 127.0.0.0/8 to any in recv ${oif} but I am not sure if this will do what I want it to do. Are there any others ? What about icmp? Just redirects ? ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message