From owner-freebsd-isp Tue Sep 17 11:52:18 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA05540 for isp-outgoing; Tue, 17 Sep 1996 11:52:18 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA05535 for ; Tue, 17 Sep 1996 11:52:17 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id LAA21192; Tue, 17 Sep 1996 11:05:33 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id LAA20648; Tue, 17 Sep 1996 11:46:10 -0700 Date: Tue, 17 Sep 1996 11:46:09 -0700 (PDT) From: Michael Dillon To: inet-access@earth.com cc: iap@vma.cc.nd.edu, linuxisp@jeffnet.org, freebsd-isp@freebsd.org, os2-isp@dental.stat.com Subject: Livingston and spoofed source SYN attacks Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Seems there was a little problem with the Livingston filter that I posted ---------- fragment of message ---------- I have to stand somewhat corrected. >create a filter "internet.out" >Contents: >three lines for each net block you have: > > permit 1.2.3.4/20 tcp > permit 1.2.3.4/20 udp > permit 1.2.3.4/20 icmp The more appropriate format would be: permit 1.2.3.4/20 0.0.0.0/0 tcp permit 1.2.3.4/20 0.0.0.0/0 udp permit 1.2.3.4/20 0.0.0.0/0 icmp You are *supposed* to use a src/dest netblock pair, though I have set up and used w/o a dest address and it worked. >final line to log (optional) MUST COME AFTER permit list for netblocks: > deny log If you choose not to log, then you need a line: deny Otherwise that which falls through isn't denied, obviously.