Date: Thu, 29 Feb 1996 09:53:35 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: Joe Greco <jgreco@brasil.moneng.mei.com> Cc: fenner@parc.xerox.com (Bill Fenner), nate@sri.MT.net, stable@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: IPFW (was: Re: -stable hangs at boot) Message-ID: <2612.825584015@critter.tfs.com> In-Reply-To: Your message of "Wed, 28 Feb 1996 16:05:26 CST." <199602282205.QAA03415@brasil.moneng.mei.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote: > > >I'm not sure I could > > >see the need for filtering differently for incoming vs. outgoing (except > > >in the case of syn. packets). > > > > You can prevent many IP spoofing attacks by disallowing packets with IP sou rce > > addresses that match your internal network addresses from coming in your > > external connection (e.g. Xerox does > > > > access-list N deny 13.0.0.0 0.255.255.255 any > > > > on its incoming interface on the Cisco) > > Technically, one might want to place it's much-less-often-considered brother > in the firewall too... the one that prevents OUTgoing packets that do NOT > have a 13.0.0.0 address... > > (no I don't do this either but I should). And if you're on a lousy ISP, also a filter to block all of the "private" networks, 192.168.x.x and so on, (RFC 1596 ?) -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2612.825584015>