From owner-freebsd-questions@FreeBSD.ORG  Sun Oct 23 17:25:25 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53F7A16A41F
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Oct 2005 17:25:25 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AC6E43D46
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Oct 2005 17:25:23 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from flame.pc (patr530-a005.otenet.gr [212.205.215.5])
	by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with ESMTP id j9NHPK9T016596;
	Sun, 23 Oct 2005 20:25:21 +0300
Received: from flame.pc (flame [127.0.0.1])
	by flame.pc (8.13.4/8.13.4) with ESMTP id j9NHNhsT001360;
	Sun, 23 Oct 2005 20:23:43 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from keramida@localhost)
	by flame.pc (8.13.4/8.13.4/Submit) id j9NHNht3001359;
	Sun, 23 Oct 2005 20:23:43 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Date: Sun, 23 Oct 2005 20:23:43 +0300
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Chuck Swiger <cswiger@mac.com>
Message-ID: <20051023172343.GA1290@flame.pc>
References: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net>
	<435BB665.70001@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <435BB665.70001@mac.com>
Cc: Eric F Crist <ecrist@secure-computing.net>,
	freebsd questions <freebsd-questions@freebsd.org>
Subject: Re: RFC: my firewall ruleset(s)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2005 17:25:25 -0000

On 2005-10-23 12:12, Chuck Swiger <cswiger@mac.com> wrote:
> You have anti-spoofing for the lookback, lo0 interface, but not for
> your other interfaces.  You should add anti-spoofing rules, and also
> block strict and loose source routing [1]:
>
> # Stop strict and loose source routing
> add deny log all from any to any ipoptions ssrr
> add deny log all from any to any ipoptions lsrr

Agreed.  Please note that this is ``an extra layer of protection''
though.  The relevant bits are already disabled through sysctl
settings, by default, and have to be explicitly enabled:

% flame:/home/keramida$ sysctl -a | fgrep accept_source
% net.inet.ip.accept_sourceroute: 0
% flame:/home/keramida$ sysctl -a | fgrep redirect
% net.inet.ip.redirect: 1
% net.inet.icmp.log_redirect: 1
% net.inet.icmp.drop_redirect: 1
% net.inet6.ip6.redirect: 1
% flame:/home/keramida$

I'm sure Chuck already knows this.  Just adding a minor note, to make
sure you Eric don't get the wrong impression that a firewall is an
absolute *requirement* to block these.