From owner-freebsd-questions Sat Jun 24 5:16:23 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.hellasnet.gr (mail.hellasnet.gr [212.54.192.3]) by hub.freebsd.org (Postfix) with ESMTP id E7F6337B893 for ; Sat, 24 Jun 2000 05:16:12 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (ppp1.patr.hellasnet.gr [212.54.197.16]) by mail.hellasnet.gr (8.9.1/8.9.1) with ESMTP id OAA11297; Sat, 24 Jun 2000 14:15:05 +0200 (GMT) Received: (from charon@localhost) by hades.hell.gr (8.10.2/8.10.2) id e5OBOd127642; Sat, 24 Jun 2000 14:24:39 +0300 (EEST) Date: Sat, 24 Jun 2000 14:24:38 +0300 From: Giorgos Keramidas To: cjclark@alum.mit.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Confused by Loopback Message-ID: <20000624142438.A27546@hades.hell.gr> References: <20000621205221.A43715@pool0586.cvx20-bradley.dialup.e> <20000623004145.B17268@hades.hell.gr> <20000623193527.B481@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000623193527.B481@dialin-client.earthlink.net>; from cristjc@earthlink.net on Fri, Jun 23, 2000 at 07:35:27PM -0700 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Jun 23, 2000 at 07:35:27PM -0700, Crist J. Clark wrote: > >On Fri, Jun 23, 2000 at 12:41:45AM +0300, Giorgos Keramidas wrote: >> If what puzzles you is that you actually *got* some replies back, you >> have to use a firewall to stop packets originating from, or destined to >> hosts in 127.0.0.0/8, from traversing your tun0 interface :) > > I was not bothering to firewall my ppp. After firewalling on my cable > modem hookup, I did not figure dialing in a few minutes at a time was > much of a problem... now I wonder. It is not necessary for everyone to be paranoid. However, after playing around with ipfilter and making myself a closed-type firewall (the rules are listed at the end of this message), I saw far too many blocked packets to just ignore the fact that I was being constantly port-scanned while I was online! Anyway, the rules that I now use look like: @1 pass out quick proto tcp from any to any keep state @1 block in log from any to any @2 block in proto eigrp from any to any @3 pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32 @4 block in log quick from 127.0.0.0/8 to any @5 block in log quick from any to 127.0.0.0/8 @6 pass in quick proto tcp from any port = 20 to any keep state @7 pass in quick proto tcp from any to any port = 22 keep state @8 pass in quick proto tcp from any to any port = 25 keep state @9 block return-rst in log quick proto tcp from any to any port = 113 flags S/SA @10 pass in quick proto udp from any to any port = 53 @11 pass in quick proto udp from any port = 53 to any @12 pass in quick proto icmp from any to any If you care to notice rules @3-@5 in the input chain, you will see that I only allow packets from 127.0.0.1 on lo0, and the rest of the 127.0.0.0/8 subnet is filtered out on any interface. Of course, as I said before, I am paranoid ;-) -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public key: finger keramida@ceid.upatras.gr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message