Date: Fri, 21 Nov 1997 14:51:26 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: danny@panda.hilink.com.au (Daniel O'Callaghan) Cc: robert@cyrus.watson.org, freebsd-security@FreeBSD.ORG, bugtraq@netspace.org Subject: Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE Message-ID: <199711210354.TAA08311@hub.freebsd.org> In-Reply-To: <Pine.BSF.3.91.971121123958.235N-100000@panda.hilink.com.au> from "Daniel O'Callaghan" at Nov 21, 97 12:49:05 pm
next in thread | previous in thread | raw e-mail | index | archive | help
There's a perl script called "mkfilters" distributed with IP filter which will generate the appropriate list of configuration lines to prevent any spoofed packets. This is only recommended for use as a baseline to build from, however. The script does attempt to handle ppp interfaces, although dynamic allocation of ppp numbers (both interface and IP#) can hamper any efforts to do this sanely. example output: # # The following routes should be configured, if not already: # # route add 10.1.1.1 localhost 0 # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass out on le0 all head 250 block out from 127.0.0.0/8 to any group 250 block out from any to 127.0.0.0/8 group 250 block out from any to 10.1.1.1/32 group 250 pass in on le0 all head 200 block in from 127.0.0.0/8 to any group 200 block in from 10.1.1.1/32 to any group 200 where le0 is 10.1.1.1. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711210354.TAA08311>