Date: Mon, 12 Nov 2001 15:10:34 +0100 From: Bart Matthaei <bart@dreamflow.nl> To: Wade Majors <wade@ezri.org> Cc: freebsd-security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112151034.A23730@heresy.dreamflow.nl> In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 References: <001201c16b82$4da9d1e0$9700a8c0@ezri>
next in thread | previous in thread | raw e-mail | index | archive | help
--wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote: > These are the only things before natd, which is rule 00050. Thats a good thing. Its wise to set those rules before you pass any packet to natd. > In the few days I've had them in; it hasn't caught anything, so I'm > going to assume this isn't breaking anything legitimate. The question > is: is this the right way to check for this stuff, anyway? Should I even > worry about this since my network using private IPs? The chance of people using this technique isnt very big, nevertheless, securing yourself from it is a good thing. The way you deny access to your services (set up for your private net) from the outside world depends on your technique of firewalling. I set a default rule on deny, and allow everything coming in from my private network's interface (so not with ip classes).=20 If you allow services from your internal net by allowing certain ipclasses, its wise to block packets coming from those ipclasses via the external interface. (deny all from $ipclass to any recv $extrnl_if) Hope this helps ;) Rgds, B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE779hagcc6pR+tCegRAqUrAKDN/Frks+earJglUHUXduEXziYRbgCgvqey 7NhHCFATwG/5NCerBFa31ko= =DAl1 -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112151034.A23730>