From owner-freebsd-security Thu Jul 19 9:13:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A70D537B408 for ; Thu, 19 Jul 2001 09:13:25 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f6JGDJq08938; Thu, 19 Jul 2001 12:13:19 -0400 (EDT) (envelope-from wollman) Date: Thu, 19 Jul 2001 12:13:19 -0400 (EDT) From: Garrett Wollman Message-Id: <200107191613.f6JGDJq08938@khavrinen.lcs.mit.edu> To: Walter Hop Cc: "default013 - subscriptions" , freebsd-security@FreeBSD.ORG Subject: Re: blocking I.P. addresses/ranges In-Reply-To: <4723040991.20010719145335@binity.com> References: <4723040991.20010719145335@binity.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > [in reply to default013subscriptions@hotmail.com, 19-07-2001] >> I know there is a way to block I.P. addresses/I.P. ranges in Linux by using >> something like 'route add 24.198.54.0 deny' etc... I assume that there must >> be a similar way to do this in FreeBSD... > In FreeBSD, you can do this for instance with the ``ipfw'' tool. Or, without recourse to the packet-filtering code, using: route add -net aa.bb.cc.dd -netmask (some mask) -interface lo0 -reject However, there is an important caveat to doing this: adding such a route does not prevent the other party from sending packets to you; it only prevents your machine from responding. Thus, it does not help against those attacks which do not require a response. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message