Date: Wed, 28 Feb 1996 11:05:24 PST From: Bill Fenner <fenner@parc.xerox.com> To: Nate Williams <nate@sri.mt.net> Cc: Poul-Henning Kamp <phk@critter.tfs.com>, stable@freebsd.org, current@freebsd.org Subject: Re: IPFW (was: Re: -stable hangs at boot) Message-ID: <96Feb28.110530pst.177480@crevenia.parc.xerox.com> In-Reply-To: Your message of "Mon, 26 Feb 1996 11:26:22 PST." <199602261926.MAA00360@rocky.sri.MT.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote: >I'm not sure I could >see the need for filtering differently for incoming vs. outgoing (except >in the case of syn. packets). You can prevent many IP spoofing attacks by disallowing packets with IP source addresses that match your internal network addresses from coming in your external connection (e.g. Xerox does access-list N deny 13.0.0.0 0.255.255.255 any on its incoming interface on the Cisco) >That reminds me. I haven't looked yet, but does the new code also >filter out routing information? The old code didn't (and other firewall >code I have used does). Sorry, this doesn't make much sense to me -- shouldn't "filtering routing information" just be another firewall rule? Seems like policy to me. Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96Feb28.110530pst.177480>