Date: Wed, 28 Feb 1996 16:05:26 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: fenner@parc.xerox.com (Bill Fenner) Cc: nate@sri.MT.net, phk@critter.tfs.com, stable@freebsd.org, current@freebsd.org Subject: Re: IPFW (was: Re: -stable hangs at boot) Message-ID: <199602282205.QAA03415@brasil.moneng.mei.com> In-Reply-To: <96Feb28.110530pst.177480@crevenia.parc.xerox.com> from "Bill Fenner" at Feb 28, 96 11:05:24 am
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote: > >I'm not sure I could > >see the need for filtering differently for incoming vs. outgoing (except > >in the case of syn. packets). > > You can prevent many IP spoofing attacks by disallowing packets with IP source > addresses that match your internal network addresses from coming in your > external connection (e.g. Xerox does > > access-list N deny 13.0.0.0 0.255.255.255 any > > on its incoming interface on the Cisco) Technically, one might want to place it's much-less-often-considered brother in the firewall too... the one that prevents OUTgoing packets that do NOT have a 13.0.0.0 address... (no I don't do this either but I should). ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602282205.QAA03415>