Date: Sat, 5 Jan 2002 10:56:30 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: FBSD Questions <questions@FreeBSD.ORG> Subject: Re: How to Stop IP spoofing in ipfw Message-ID: <20020105105630.A204@gohan.cjclark.org> In-Reply-To: <LPBBIGIAAKKEOEJOLEGOEEGLCLAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Sat, Jan 05, 2002 at 01:21:39PM -0500 References: <20020104161354.D1205@gohan.cjclark.org> <LPBBIGIAAKKEOEJOLEGOEEGLCLAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 05, 2002 at 01:21:39PM -0500, Joe & Fhe Barbish wrote:
> So are you recommending keep-state for tcp over
> dynamic table using setup, established, frag?
"It depends." That was just what I used in the example.
Stateless packet filtering has many known issues. With a stateless
packet filter, you can still host scan through a firewall. Stateless
packet filters will not stop Ping O' Death and similar (known or
not-yet-known) attacks. Stateless packet filters tend to leave you
pretty wide open when talking about any protocol other than TCP.
That said, if you are using NAT with non-registered addresses, it
makes such attacks more difficult. But they are still quite possible
to "near-by" attackers (e.g. if you are on an untrustd LAN, like a
coaxial cable LAN, there may be some shady characters local to you,
and there are _definately_ clueless people who might have their
computers hijaked by those shady types) unless you remember to block
such attacks,
ipfw add drop ip from any to $net1:$mask1 in via $oif
Before your divert(4) rule to natd(8). You can combine NAT and a
stateless filter rules to get a stateful firewall (for the machines
behind the firewall, but not the firewall itself).
The plus for stateless filtering is that it is easier and there are
less things that may break or have bugs. It typically isn't practical
for the home user, but one of the best approaches is to put a
stateless packet filter in front of your stateful one for a layered
defense. This is often as simple as putting (stateless) access rules
on an existing border router and then putting a more complex stateful
firewall behind it.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020105105630.A204>