Date: Tue, 25 Jul 2000 22:47:10 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Bill Fumerola <billf@chimesnet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007260247.WAA08877@khavrinen.lcs.mit.edu> In-Reply-To: <20000725201435.Q51462@jade.chc-chimes.com> References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu> <20000725201435.Q51462@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Tue, 25 Jul 2000 20:14:35 -0400, Bill Fumerola <billf@chimesnet.com> said: > I've pretty much been consumed with the 2k lines of ip_fw.c recently > so I have a decent knowledge of how it works now (scary..), would this > be something we'd want to do within ipfw or as a seperate entity? ipfw *hack* *spit* *cough* OK, I've recovered now. It's probably easiest to do it in ipfw, since that gives you a mechanism to specify it on an interface-by-interface basis. Something like `deny from any to any !rpf-check via intX' (or, for the converse, `pass from any to any rpf-check via intX'). I think you need to be careful to do this only when packets arrive; if you do this check on departing packets you may trip over some legitimate traffic. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007260247.WAA08877>