From owner-freebsd-questions@FreeBSD.ORG Sat Jan 31 06:05:42 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 343EB16A4CE for ; Sat, 31 Jan 2004 06:05:42 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBC9943D1D for ; Sat, 31 Jan 2004 06:05:39 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i0VE5Xjc025791 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2004 14:05:33 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i0VE5Xb9025786; Sat, 31 Jan 2004 14:05:33 GMT (envelope-from matthew) Date: Sat, 31 Jan 2004 14:05:33 +0000 From: Matthew Seaman To: "J.D. Bronson" Message-ID: <20040131140533.GA6295@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , "J.D. Bronson" , freebsd-questions@freebsd.org References: <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk> <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: tcp blackhole and ident X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 14:05:42 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 31, 2004 at 07:46:39AM -0600, J.D. Bronson wrote: > At 07:39 AM 1/31/2004, Matthew Seaman wrote: > >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP > >reject whenever it detects an incoming connection on port 113 as part > >of your firewall configuration. Eg. something like: > > > > 01600 reset tcp from any to me dst-port 113 setup > Thanks...but I have quite a robust Cisco firewall in place ahead of the= =20 > freebsd machines...so I dont -need- to run ipfw...Hmmm... >=20 > Actually since the Cisco is dropping any packets already, I wonder if=20 > 'blackhole' is simply a stupid idea in the first place... Well, gee. I'm sure Cisco PIX is capable of sending a 'reject' rather than just dropping the packet. Even so, don't dismiss running packet filters locally on your FreeBSD boxes. Think "defense in depth" -- or how many things have to go wrong until there are bad consequences. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAG7YtdtESqEQa7a0RAsRkAJ4wAXaG+LrpkpK4s8mGcjHOLn6wpwCeJ7l0 i1WupW/aVFJ++FbYmE7P24s= =U191 -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--