Date: Wed, 26 Jul 2000 11:17:29 +1000 (Australia/NSW) From: Darren Reed <avalon@coombs.anu.edu.au> To: billf@chimesnet.com (Bill Fumerola) Cc: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes), mike@adept.org (Mike Hoskins), stephen@math.missouri.edu (Stephen Montgomery-Smith), freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007260117.LAA18927@cairo.anu.edu.au> In-Reply-To: <20000725193941.P51462@jade.chc-chimes.com> from "Bill Fumerola" at Jul 25, 2000 07:39:41 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Bill Fumerola, sie said: > > On Tue, Jul 25, 2000 at 02:28:09PM -0700, Rodney W. Grimes wrote: > > > And I'll cast my vote against -antispoof for the following reasons. > > Ditto. > > > a) The non-problem it attempts to solve can be handled by a correct > > ipfw rule set. > > > > b) These are RFC1918 addresses and have little to nothing to do with > > spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate > > globally routed IP addresses, usually the attack targets address as a > > source address in a packet. The flag should be -antirfc1918. > > > > c) It also totally ignores the fact that the problematic IP addresses > > are much more than RFC1918 and include the following: > > 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 > > that need to be dealt with properly and carefully at both interfaces > > in a firewall. > > Speaking has someone who operates a packet magnet, spoofed addresses come > from _EVERYWHERE_ and there isn't a whole lot you can do to stop that > (short of checking the route back before allowing the packet, which is more > costly etc etc, cisco has something that does this). Just to add fuel to this little fire, IP Filter has a knob which allows for blocking of packets received on an interface for which the route to the source address goes out a different interface. fr_chksrc sysctl net.inet.ipf.fr_chksrc Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007260117.LAA18927>