From owner-freebsd-security  Sat Jul  4 19:22:49 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA09881
          for freebsd-security-outgoing; Sat, 4 Jul 1998 19:22:49 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA09871
          for <freebsd-security@FreeBSD.ORG>; Sat, 4 Jul 1998 19:22:47 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id TAA22217;
	Sat, 4 Jul 1998 19:22:48 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Sat, 4 Jul 1998 19:22:47 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Louie <louie@sunra.csci.unt.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw with ppp -alias setup
In-Reply-To: <199807050208.VAA22240@sunra.csci.unt.edu>
Message-ID: <Pine.BSF.3.96.980704191956.21725A-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 4 Jul 1998, Louie wrote:

>On Fri, 3 Jul 1998, Jan B. Koum wrote:
> 
>> ># ipfw list
>> >01000 allow ip from any to any via lo0
>> >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8
>> >01110 deny log ip from 192.168.0.0/16 to any in recv tun0
>>                             ^^^^^^
>> 
>> 	Aren't you using 192.168.1.0/16 as you mentioned above?
>
>Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side.
>Spoof prevention.
> 

	Well.. spoofed packets will try to pretend that they are coming
from your computer. So, in reality you don't need rule 1210, 1310 and
above 1110, but instead only need 192.168.1.0/24 since that is what one
would try to spoof with.

>> >01210 deny log ip from 172.16.0.0/12 to any in recv tun0
>> >01310 deny log ip from 10.0.0.0/8 to any in recv tun0
>> >01410 allow tcp from any to any in recv tun0 established
>
>> 	AFAICT the rules look ok. Really paranoid people might just take
>> out icmp (think Phrack issue 51 article 6). But yeah, everything looks
>> fine. Add the "deny log" rule before last one if you want.
>
>I'll have to check that out.
	
	Do that. :) Also do note that this type of data tunneling can be
done with protocols other then icmp.


-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message