From owner-freebsd-security Wed Oct 25 21:20:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay3.abs.adelphia.net (unknown [64.8.20.11]) by hub.freebsd.org (Postfix) with ESMTP id CA0CF37B479 for ; Wed, 25 Oct 2000 21:20:18 -0700 (PDT) Received: from warpig ([24.48.166.41]) by smtprelay3.abs.adelphia.net (Netscape Messaging Server 4.15) with SMTP id G30S0F00.DMT; Thu, 26 Oct 2000 00:19:27 -0400 Message-ID: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net> From: "Andrew Penniman" To: "Mike Hoskins" , References: Subject: Re: request for example rc.firewall script Date: Thu, 26 Oct 2000 00:34:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 24 Oct 2000, Crist J . Clark wrote: > > > > check-state > > > allow ip from a.b.c.d to any keep-state > > > allow ip from x.y.z.z/24 to any keep-state > > Eep! You've left yourself _very_ vulnerable to spoofing. > > From the internal net you mean? If so, I agree. Given I'm the only > person using my 'LAN', I've accepted that as a liveable risk. ;) The spoofing threat is external. An evil bad person could spoof your external IP and have full access to your services by the first rule. They could do the same by spoofing any of the x.y.z.z/24 addresses. Why would your external IP be talking to the internal system? I think I'd get rid of that rule completely. To prevent spoofing on the x.y.z.z/24 network, add the following rule to prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside world: deny ip from x.y.z.z/24 to any via xx0 in where xx0 is your external interface. No? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message