From owner-freebsd-security Wed Oct 25 1:38:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id BEFAF37B479 for ; Wed, 25 Oct 2000 01:38:39 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 1000) id 3FDA09EE01; Wed, 25 Oct 2000 01:38:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 3AE089B001; Wed, 25 Oct 2000 01:38:19 -0700 (PDT) Date: Wed, 25 Oct 2000 01:38:19 -0700 (PDT) From: Mike Hoskins To: cjclark@alum.mit.edu Cc: Andrew Johns , peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: <20001024224313.X75251@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 24 Oct 2000, Crist J . Clark wrote: > > check-state > > allow ip from a.b.c.d to any keep-state > > allow ip from x.y.z.z/24 to any keep-state > Eep! You've left yourself _very_ vulnerable to spoofing. From the internal net you mean? If so, I agree. Given I'm the only person using my 'LAN', I've accepted that as a liveable risk. ;) Also, outbound ACL's on my router prevent spoofing without ipfw's intervention in my case... I do, however, agree that an additional 'layer' of security could and should be bought if this were a production firewall/router. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message