Date: Sat, 4 Jul 1998 19:22:47 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: Louie <louie@sunra.csci.unt.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw with ppp -alias setup Message-ID: <Pine.BSF.3.96.980704191956.21725A-100000@shell6.ba.best.com> In-Reply-To: <199807050208.VAA22240@sunra.csci.unt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Jul 1998, Louie wrote: >On Fri, 3 Jul 1998, Jan B. Koum wrote: > >> ># ipfw list >> >01000 allow ip from any to any via lo0 >> >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 >> >01110 deny log ip from 192.168.0.0/16 to any in recv tun0 >> ^^^^^^ >> >> Aren't you using 192.168.1.0/16 as you mentioned above? > >Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side. >Spoof prevention. > Well.. spoofed packets will try to pretend that they are coming from your computer. So, in reality you don't need rule 1210, 1310 and above 1110, but instead only need 192.168.1.0/24 since that is what one would try to spoof with. >> >01210 deny log ip from 172.16.0.0/12 to any in recv tun0 >> >01310 deny log ip from 10.0.0.0/8 to any in recv tun0 >> >01410 allow tcp from any to any in recv tun0 established > >> AFAICT the rules look ok. Really paranoid people might just take >> out icmp (think Phrack issue 51 article 6). But yeah, everything looks >> fine. Add the "deny log" rule before last one if you want. > >I'll have to check that out. Do that. :) Also do note that this type of data tunneling can be done with protocols other then icmp. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980704191956.21725A-100000>