Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Nov 2001 15:10:34 +0100
From:      Bart Matthaei <bart@dreamflow.nl>
To:        Wade Majors <wade@ezri.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Filtering packets based on incoming address [ack. plaintext now]
Message-ID:  <20011112151034.A23730@heresy.dreamflow.nl>
In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500
References:  <001201c16b82$4da9d1e0$9700a8c0@ezri>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote:
> These are the only things before natd, which is rule 00050.

Thats a good thing. Its wise to set those rules before you pass any
packet to natd.

> In the few days I've had them in; it hasn't caught anything, so I'm
> going to assume this isn't breaking anything legitimate. The question
> is: is this the right way to check for this stuff, anyway? Should I even
> worry about this since my network using private IPs?

The chance of people using this technique isnt very big, nevertheless,
securing yourself from it is a good thing. The way you deny access to your
services (set up for your private net) from the outside world depends
on your technique of firewalling.

I set a default rule on deny, and allow everything coming
in from my private network's interface (so not with ip classes). 

If you allow services from your internal net by allowing certain
ipclasses, its wise to block packets coming from those ipclasses via
the external interface.
(deny all from $ipclass to any recv $extrnl_if)

Hope this helps ;)

Rgds,

B.

-- 
Bart Matthaei                 bart@dreamflow.nl

/* Welcome to my world.. You just live in it */

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE779hagcc6pR+tCegRAqUrAKDN/Frks+earJglUHUXduEXziYRbgCgvqey
7NhHCFATwG/5NCerBFa31ko=
=DAl1
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112151034.A23730>