From owner-freebsd-security Mon Jan 24 21:41:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 2A7BA15397 for ; Mon, 24 Jan 2000 21:41:16 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id AAA10720; Tue, 25 Jan 2000 00:41:10 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id AAA09003; Tue, 25 Jan 2000 00:41:09 -0500 (EST) Message-Id: <4.2.2.20000125003658.00b01550@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 25 Jan 2000 00:39:40 -0500 To: The Mad Scientist , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: more complete ipfw rules In-Reply-To: <4.1.20000124201245.00962220@mail.thegrid.net> References: <3.0.5.32.20000124151825.01c3d100@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:51 PM 1/24/2000 -0800, The Mad Scientist wrote: >Don't forget about > >$fwcmd add 100 allow all from any to any via lo0 >$fwcmd add 200 deny log all from any to 127.0.0.0/8 Yup, that's already in there in the default rc.firewall. >loose and strict source routing isn't illegal, but usually used for >subversion. >$fwcmd add 500 deny log ip from any to any in via ${out_if} ipoptions >lsrr,ssrr Thanks. That's a good one to consider as well. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message