Date: Tue, 17 Sep 1996 16:00:06 -0700 (PDT) From: "John G. Thompson" <jgt10@livingston.com> To: inet-access@earth.com Cc: inet-access@earth.com, iap@vma.cc.nd.edu, linuxisp@jeffnet.org, freebsd-isp@freebsd.org, os2-isp@dental.stat.com Subject: Re: Livingston and spoofed source SYN attacks Message-ID: <Pine.SUN.3.91.960917155541.18140B-100000@server> In-Reply-To: <Pine.BSI.3.93.960917114246.15605I-100000@sidhe.memra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Sep 1996, Michael Dillon wrote:
> Seems there was a little problem with the Livingston filter that I posted
>
> ---------- fragment of message ----------
>
> I have to stand somewhat corrected.
>
> >create a filter "internet.out"
> >Contents:
> >three lines for each net block you have:
> >
> > permit 1.2.3.4/20 tcp
> > permit 1.2.3.4/20 udp
> > permit 1.2.3.4/20 icmp
>
> The more appropriate format would be:
> permit 1.2.3.4/20 0.0.0.0/0 tcp
This can be shortened to
permit 1.2.3.4/20 0.0.0.0/0
which will show up on the filter display as
permit 1.2.3.4/20 0.0.0.0/0 ip
> permit 1.2.3.4/20 0.0.0.0/0 udp
> permit 1.2.3.4/20 0.0.0.0/0 icmp
>
> You are *supposed* to use a src/dest netblock pair, though I have
> set up and used w/o a dest address and it worked.
>
> >final line to log (optional) MUST COME AFTER permit list for netblocks:
> > deny log
>
> If you choose not to log, then you need a line:
> deny
>
> Otherwise that which falls through isn't denied, obviously.
Portmaster filtering is evaluation is in order of rules and an
implicit deny if no matching rule is found.
You don't need the final deny when you don't want to log, but it isn't
going to hurt anything.
JGT
--
John G. Thompson Livingston Enterprises Inc. Phone: (800) 458-9966
JOAT(MON) 6920-220 Koll Centre Pkwy. Fax: (510) 426-8951
support@livingston.com Pleasanton, CA 94566 http://www.livingston.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.3.91.960917155541.18140B-100000>