Date: Thu, 29 Feb 1996 11:31:52 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: phk@critter.tfs.com (Poul-Henning Kamp) Cc: stable@freebsd.org, current@freebsd.org Subject: Re: IPFW (was: Re: -stable hangs at boot) Message-ID: <199602291731.LAA04770@brasil.moneng.mei.com> In-Reply-To: <2612.825584015@critter.tfs.com> from "Poul-Henning Kamp" at Feb 29, 96 09:53:35 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > Technically, one might want to place it's much-less-often-considered brother > > in the firewall too... the one that prevents OUTgoing packets that do NOT > > have a 13.0.0.0 address... > > > > (no I don't do this either but I should). > > And if you're on a lousy ISP, also a filter to block all of the "private" > networks, 192.168.x.x and so on, (RFC 1596 ?) RFC1597: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 That's a real good point, actually. Also 127.*, I would think... (actually, some non-lousy ISP's assign space out of this address range as it serves as a very "gross" firewall. And even if you don't, your customers might use it as described in 1597 and have a misconfigured router that doesn't prevent outbound packets. This implies you want to stop traffic in BOTH directions). Gosh, this gets complex quickly :-) ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602291731.LAA04770>