From owner-freebsd-current Wed Feb 28 11:06:26 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA02816 for current-outgoing; Wed, 28 Feb 1996 11:06:26 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA02793 Wed, 28 Feb 1996 11:06:21 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <16022(2)>; Wed, 28 Feb 1996 11:05:39 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177480>; Wed, 28 Feb 1996 11:05:30 -0800 X-Mailer: exmh version 1.6.4 10/10/95 To: Nate Williams cc: Poul-Henning Kamp , stable@freebsd.org, current@freebsd.org Subject: Re: IPFW (was: Re: -stable hangs at boot) In-reply-to: Your message of "Mon, 26 Feb 1996 11:26:22 PST." <199602261926.MAA00360@rocky.sri.MT.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 28 Feb 1996 11:05:24 PST From: Bill Fenner Message-Id: <96Feb28.110530pst.177480@crevenia.parc.xerox.com> Sender: owner-current@freebsd.org Precedence: bulk In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote: >I'm not sure I could >see the need for filtering differently for incoming vs. outgoing (except >in the case of syn. packets). You can prevent many IP spoofing attacks by disallowing packets with IP source addresses that match your internal network addresses from coming in your external connection (e.g. Xerox does access-list N deny 13.0.0.0 0.255.255.255 any on its incoming interface on the Cisco) >That reminds me. I haven't looked yet, but does the new code also >filter out routing information? The old code didn't (and other firewall >code I have used does). Sorry, this doesn't make much sense to me -- shouldn't "filtering routing information" just be another firewall rule? Seems like policy to me. Bill