From owner-freebsd-isp  Tue Sep 17 16:01:05 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA20030
          for isp-outgoing; Tue, 17 Sep 1996 16:01:05 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA20016
          for <freebsd-isp@freebsd.org>; Tue, 17 Sep 1996 16:00:56 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.7.5/8.6.9) with ESMTP id QAA01790; Tue, 17 Sep 1996 16:00:50 -0700 (PDT)
Received: (from jgt10@localhost) by server.livingston.com (8.7.1/8.6.9) id QAA26482; Tue, 17 Sep 1996 16:00:06 -0700 (PDT)
Date: Tue, 17 Sep 1996 16:00:06 -0700 (PDT)
From: "John G. Thompson" <jgt10@livingston.com>
X-Sender: jgt10@server
To: inet-access@earth.com
cc: inet-access@earth.com, iap@vma.cc.nd.edu, linuxisp@jeffnet.org,
        freebsd-isp@freebsd.org, os2-isp@dental.stat.com
Subject: Re: Livingston and spoofed source SYN attacks
In-Reply-To: <Pine.BSI.3.93.960917114246.15605I-100000@sidhe.memra.com>
Message-ID: <Pine.SUN.3.91.960917155541.18140B-100000@server>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 17 Sep 1996, Michael Dillon wrote:

> Seems there was a little problem with the Livingston filter that I posted
> 
> ---------- fragment of message ----------
> 
> I have to stand somewhat corrected.
> 
> >create a filter "internet.out"
> >Contents:
> >three lines for each net block you have:
> >
> >	permit 1.2.3.4/20 tcp
> >	permit 1.2.3.4/20 udp
> >	permit 1.2.3.4/20 icmp
> 
> The more appropriate format would be:
> 	permit 1.2.3.4/20 0.0.0.0/0 tcp

This can be shortened to 

    permit 1.2.3.4/20 0.0.0.0/0

which will show up on the filter display as 

    permit 1.2.3.4/20 0.0.0.0/0 ip

> 	permit 1.2.3.4/20 0.0.0.0/0 udp
> 	permit 1.2.3.4/20 0.0.0.0/0 icmp
> 
> You are *supposed* to use a src/dest netblock pair, though I have
> set up and used w/o a dest address and it worked.
> 
> >final line to log (optional) MUST COME AFTER permit list for netblocks:
> >	deny log
> 
> If you choose not to log, then you need a line:
> 	deny
> 
> Otherwise that which falls through isn't denied, obviously.

Portmaster filtering is evaluation is in order of rules and an
implicit deny if no matching rule is found.

You don't need the final deny when you don't want to log, but it isn't 
going to hurt anything.

JGT
--
John G. Thompson      Livingston Enterprises Inc.    Phone: (800) 458-9966
JOAT(MON)             6920-220 Koll Centre Pkwy.       Fax: (510) 426-8951
support@livingston.com Pleasanton, CA 94566      http://www.livingston.com