Date: Wed, 12 Mar 2003 05:16:45 -0500 From: Jim Bloom <bloom@acm.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: ipfw@FreeBSD.ORG Subject: Re: Anti-Spoofing Option Message-ID: <3E6F090D.1080506@acm.org> In-Reply-To: <20030312081536.GB42446@blossom.cjclark.org> References: <20030312080622.GA42446@blossom.cjclark.org> <20030312081536.GB42446@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sound like a nice idea for firewalls. I haven't looked at the code closely yet, but how does it handle the loopback interface? Packets within the machine to any of its interfaces get sent via the loopback interface but could have any of the machine's addresses. My current first rule is # ipfw add 100 pass any to any via lo0 Also, will this pickup IPv6 as well? Jim Bloom Crist J. Clark wrote: > On Wed, Mar 12, 2003 at 12:06:22AM -0800, Crist J. Clark wrote: > [snip] > > >>To turn on anti-spoofing on a firewall, put, >> >> # ipfw add 100 pass ip from any to any verrevpath >> >>Before any other rules. All done (well, only if you're not using >>dynamic rules). > > > Whoa. Must be getting late. You probably don't want to do that on your > firewall. That was for showing the only rule you need on a router > where you only want to enable antispoofing. > > To turn on anti-spoofing for a stateless packet filter, start with, > > # ipfw add 100 deny ip from any to any not verrevpath in > > That is deny incoming packets that don't pass the 'verrevpath' check. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E6F090D.1080506>