Date: Thu, 26 Oct 2000 00:34:57 -0400 From: "Andrew Penniman" <apenniman@adelphia.net> To: "Mike Hoskins" <mike@adept.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: request for example rc.firewall script Message-ID: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net> References: <Pine.BSF.4.21.0010250134510.47737-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 24 Oct 2000, Crist J . Clark wrote:
>
> > > check-state
> > > allow ip from a.b.c.d to any keep-state
> > > allow ip from x.y.z.z/24 to any keep-state
> > Eep! You've left yourself _very_ vulnerable to spoofing.
>
> From the internal net you mean? If so, I agree. Given I'm the only
> person using my 'LAN', I've accepted that as a liveable risk. ;)
The spoofing threat is external. An evil bad person could spoof your
external IP and have full access to your services by the first rule. They
could do the same by spoofing any of the x.y.z.z/24 addresses.
Why would your external IP be talking to the internal system? I think I'd
get rid of that rule completely.
To prevent spoofing on the x.y.z.z/24 network, add the following rule to
prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside
world:
deny ip from x.y.z.z/24 to any via xx0 in
where xx0 is your external interface.
No?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c03f06$18b2d260$29a63018>