From owner-freebsd-security Mon Nov 12 6:10:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 38C9B37B405 for ; Mon, 12 Nov 2001 06:10:36 -0800 (PST) Received: (qmail 23773 invoked by uid 1000); 12 Nov 2001 14:10:34 -0000 Date: Mon, 12 Nov 2001 15:10:34 +0100 From: Bart Matthaei To: Wade Majors Cc: freebsd-security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112151034.A23730@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001201c16b82$4da9d1e0$9700a8c0@ezri> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote: > These are the only things before natd, which is rule 00050. Thats a good thing. Its wise to set those rules before you pass any packet to natd. > In the few days I've had them in; it hasn't caught anything, so I'm > going to assume this isn't breaking anything legitimate. The question > is: is this the right way to check for this stuff, anyway? Should I even > worry about this since my network using private IPs? The chance of people using this technique isnt very big, nevertheless, securing yourself from it is a good thing. The way you deny access to your services (set up for your private net) from the outside world depends on your technique of firewalling. I set a default rule on deny, and allow everything coming in from my private network's interface (so not with ip classes).=20 If you allow services from your internal net by allowing certain ipclasses, its wise to block packets coming from those ipclasses via the external interface. (deny all from $ipclass to any recv $extrnl_if) Hope this helps ;) Rgds, B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE779hagcc6pR+tCegRAqUrAKDN/Frks+earJglUHUXduEXziYRbgCgvqey 7NhHCFATwG/5NCerBFa31ko= =DAl1 -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message