Date: Sat, 24 Jun 2000 14:24:38 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: cjclark@alum.mit.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Confused by Loopback Message-ID: <20000624142438.A27546@hades.hell.gr> In-Reply-To: <20000623193527.B481@dialin-client.earthlink.net>; from cristjc@earthlink.net on Fri, Jun 23, 2000 at 07:35:27PM -0700 References: <20000621205221.A43715@pool0586.cvx20-bradley.dialup.e> <20000623004145.B17268@hades.hell.gr> <20000623193527.B481@dialin-client.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 23, 2000 at 07:35:27PM -0700, Crist J. Clark wrote:
>
>On Fri, Jun 23, 2000 at 12:41:45AM +0300, Giorgos Keramidas wrote:
>> If what puzzles you is that you actually *got* some replies back, you
>> have to use a firewall to stop packets originating from, or destined to
>> hosts in 127.0.0.0/8, from traversing your tun0 interface :)
>
> I was not bothering to firewall my ppp. After firewalling on my cable
> modem hookup, I did not figure dialing in a few minutes at a time was
> much of a problem... now I wonder.
It is not necessary for everyone to be paranoid. However, after playing
around with ipfilter and making myself a closed-type firewall (the rules
are listed at the end of this message), I saw far too many blocked
packets to just ignore the fact that I was being constantly port-scanned
while I was online!
Anyway, the rules that I now use look like:
@1 pass out quick proto tcp from any to any keep state
@1 block in log from any to any
@2 block in proto eigrp from any to any
@3 pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
@4 block in log quick from 127.0.0.0/8 to any
@5 block in log quick from any to 127.0.0.0/8
@6 pass in quick proto tcp from any port = 20 to any keep state
@7 pass in quick proto tcp from any to any port = 22 keep state
@8 pass in quick proto tcp from any to any port = 25 keep state
@9 block return-rst in log quick proto tcp from any to any port = 113 flags S/SA
@10 pass in quick proto udp from any to any port = 53
@11 pass in quick proto udp from any port = 53 to any
@12 pass in quick proto icmp from any to any
If you care to notice rules @3-@5 in the input chain, you will see that
I only allow packets from 127.0.0.1 on lo0, and the rest of the
127.0.0.0/8 subnet is filtered out on any interface. Of course, as I
said before, I am paranoid ;-)
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
For my public key: finger keramida@ceid.upatras.gr
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000624142438.A27546>