Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 1999 13:33:40 -0600 (MDT)
From:      Nick Rogness <nick@rapidnet.com>
To:        Tom Brown <tomb@securify.com>
Cc:        "'Paul Hart'" <hart@iserver.com>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   RE: ipfw
Message-ID:  <Pine.BSF.4.05.9908121309450.51354-100000@rapidnet.com>
In-Reply-To: <01BEE4A6.75DBDD80@beetroot.securify.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Aug 1999, Tom Brown wrote:

> > > what rules should I add to my ipfw ruleset to block out icmp 
> > > floods and smurf attacts, etc thanks.
> > 
> > For smurf attacks, I've done it 2 different ways before, assuming
> > your local net is 192.168.0.0/24:
> > 
> >    # Permit traffic from local net 192.168.0.0/24 to broadcast addr.
> >    ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32
> >    # Deny log traffic from outside local net to local broadcast
> >    ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0
> 
> Doesn't that just stop you from being used as a smurf amplifier?  I think
> the original poster wanted to know how to defend against being a smurf
> victim, which is much more difficult.  The best resources I've seen for

	No this DENIES anyone from outside trying to hit the broadcast on
	your local net.  How are they suppose to hit your broadcast if it
	is blocked at your gateways? I was assuming that this FreeBSD
	machine IS the 'gateway' to his internal network and there was no
	other path into his local net. In the example I gave de0 is the
	outside interface to the world and his entire LAN is behind that.
	That will stop Smurf & Fraggle attacks from outside to his Local
	LAN.  This attack should be blocked on ALL outside gateways or
	your local net will get nailed.

	I'm not concerned with anyone from the local LAN smurf attacking
	the local LAN because they will be affected just as well.
	However, you could add ipfw entries to DETECT this activity, but
	not block it.

*******************************************************************
Nick Rogness		     Shaw's Principle:
System Administrator	       Build a system that even a fool
RapidNet, INC   	       can use, and only a fool will
nick@rapidnet.com	       want to use it.
*******************************************************************




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908121309450.51354-100000>