From owner-freebsd-security Tue Oct 24 22:43:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id AA62037B479 for ; Tue, 24 Oct 2000 22:43:34 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 24 Oct 2000 22:42:07 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9P5hDm21895; Tue, 24 Oct 2000 22:43:13 -0700 (PDT) (envelope-from cjc) Date: Tue, 24 Oct 2000 22:43:13 -0700 From: "Crist J . Clark" To: Mike Hoskins Cc: Andrew Johns , peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <20001024224313.X75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001025034912.7190E9EE01@snafu.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001025034912.7190E9EE01@snafu.adept.org>; from mike@adept.org on Tue, Oct 24, 2000 at 08:49:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 24, 2000 at 08:49:12PM -0700, Mike Hoskins wrote: > > b) Forget the RFC1918 deny's and only allow specific target IP/ports > > through and explicitly deny everything else. > > My personal favorite, I.e.: > > check-state > allow ip from a.b.c.d to any keep-state > allow ip from x.y.z.z/24 to any keep-state Eep! You've left yourself _very_ vulnerable to spoofing. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message