From owner-freebsd-security Thu Nov 20 19:54:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA08355 for security-outgoing; Thu, 20 Nov 1997 19:54:15 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA08311 for ; Thu, 20 Nov 1997 19:54:06 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199711210354.TAA08311@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA249724286; Fri, 21 Nov 1997 14:51:26 +1100 From: Darren Reed Subject: Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Fri, 21 Nov 1997 14:51:26 +1100 (EDT) Cc: robert@cyrus.watson.org, freebsd-security@FreeBSD.ORG, bugtraq@netspace.org In-Reply-To: from "Daniel O'Callaghan" at Nov 21, 97 12:49:05 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There's a perl script called "mkfilters" distributed with IP filter which will generate the appropriate list of configuration lines to prevent any spoofed packets. This is only recommended for use as a baseline to build from, however. The script does attempt to handle ppp interfaces, although dynamic allocation of ppp numbers (both interface and IP#) can hamper any efforts to do this sanely. example output: # # The following routes should be configured, if not already: # # route add 10.1.1.1 localhost 0 # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass out on le0 all head 250 block out from 127.0.0.0/8 to any group 250 block out from any to 127.0.0.0/8 group 250 block out from any to 10.1.1.1/32 group 250 pass in on le0 all head 200 block in from 127.0.0.0/8 to any group 200 block in from 10.1.1.1/32 to any group 200 where le0 is 10.1.1.1. Darren