From owner-freebsd-isp  Tue Sep 17 11:58:03 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA05773
          for isp-outgoing; Tue, 17 Sep 1996 11:58:03 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA05768
          for <freebsd-isp@freebsd.org>; Tue, 17 Sep 1996 11:58:00 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id LAA21235; Tue, 17 Sep 1996 11:11:29 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id LAA20715; Tue, 17 Sep 1996 11:52:05 -0700
Date: Tue, 17 Sep 1996 11:52:05 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: inet-access@earth.com
cc: iap@vma.cc.nd.edu, linuxisp@jeffnet.org, freebsd-isp@freebsd.org,
        os2-isp@dental.stat.com
Subject: Livingston source spoofed SYN filters
Message-ID: <Pine.BSI.3.93.960917114929.15605J-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


---------- fragment of a message  ----------

> 	permit 1.2.3.4/20 tcp
> 	permit 1.2.3.4/20 udp
> 	permit 1.2.3.4/20 icmp

Actually, a single "permit 1.2.3.4/20" line will do.  In Livingston
command line syntax:

	set filter internet.out 1 permit 1.2.3.4/20

> rest of the filter.  This is optional.  Keep in mind that the panix
> attack would probably have flooded your syslog machine's disk space
> with syslog info in this case.  Hardening that is an issue for another day,
> however.

Logging denies will fill up your log anyway.  Packets arriving for a
dialup user after he/she hangs up fall through to the default route
back out of the box.  They are then _outbound_ packets with source
address off the network and destination address on the network.

Dialup providers who want to log denies based on a source address
being on their network should have a preceding unlogged deny based on
the destination address being on their network:

	set filter internet.out 1 permit 1.2.3.4/20
	set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20
	set filter internet.out 3 deny log