From owner-freebsd-current  Thu Feb 29 00:55:03 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id AAA23150
          for current-outgoing; Thu, 29 Feb 1996 00:55:03 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id AAA23127
          Thu, 29 Feb 1996 00:54:57 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0ts47H-0003vmC; Thu, 29 Feb 96 00:53 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id JAA02614; Thu, 29 Feb 1996 09:53:35 +0100
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: Joe Greco <jgreco@brasil.moneng.mei.com>
cc: fenner@parc.xerox.com (Bill Fenner), nate@sri.MT.net, stable@FreeBSD.ORG,
        current@FreeBSD.ORG
Subject: Re: IPFW (was: Re: -stable hangs at boot) 
In-reply-to: Your message of "Wed, 28 Feb 1996 16:05:26 CST."
             <199602282205.QAA03415@brasil.moneng.mei.com> 
Date: Thu, 29 Feb 1996 09:53:35 +0100
Message-ID: <2612.825584015@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-current@FreeBSD.ORG
Precedence: bulk

> > In message <199602261926.MAA00360@rocky.sri.MT.net> Nate wrote:
> > >I'm not sure I could
> > >see the need for filtering differently for incoming vs. outgoing (except
> > >in the case of syn. packets).
> > 
> > You can prevent many IP spoofing attacks by disallowing packets with IP sou
rce 
> > addresses that match your internal network addresses from coming in your 
> > external connection (e.g. Xerox does
> > 
> > access-list N deny 13.0.0.0 0.255.255.255 any
> > 
> > on its incoming interface on the Cisco)
> 
> Technically, one might want to place it's much-less-often-considered brother
> in the firewall too...  the one that prevents OUTgoing packets that do NOT
> have a 13.0.0.0 address...
> 
> (no I don't do this either but I should).

And if you're on a lousy ISP, also a filter to block all of the "private"
networks, 192.168.x.x and so on, (RFC 1596 ?)

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.