From owner-freebsd-stable Wed Feb 28 14:07:52 1996 Return-Path: owner-stable Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA18946 for stable-outgoing; Wed, 28 Feb 1996 14:07:52 -0800 (PST) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id OAA18909 Wed, 28 Feb 1996 14:07:41 -0800 (PST) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id QAA03415; Wed, 28 Feb 1996 16:05:27 -0600 From: Joe Greco Message-Id: <199602282205.QAA03415@brasil.moneng.mei.com> Subject: Re: IPFW (was: Re: -stable hangs at boot) To: fenner@parc.xerox.com (Bill Fenner) Date: Wed, 28 Feb 1996 16:05:26 -0600 (CST) Cc: nate@sri.MT.net, phk@critter.tfs.com, stable@freebsd.org, current@freebsd.org In-Reply-To: <96Feb28.110530pst.177480@crevenia.parc.xerox.com> from "Bill Fenner" at Feb 28, 96 11:05:24 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-stable@freebsd.org Precedence: bulk > In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote: > >I'm not sure I could > >see the need for filtering differently for incoming vs. outgoing (except > >in the case of syn. packets). > > You can prevent many IP spoofing attacks by disallowing packets with IP source > addresses that match your internal network addresses from coming in your > external connection (e.g. Xerox does > > access-list N deny 13.0.0.0 0.255.255.255 any > > on its incoming interface on the Cisco) Technically, one might want to place it's much-less-often-considered brother in the firewall too... the one that prevents OUTgoing packets that do NOT have a 13.0.0.0 address... (no I don't do this either but I should). ... JG