Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Jim Hatfield <subscriber@insignia.com> Cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" Message-ID: <Pine.GSO.4.44.0306201344090.13279-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Jun 2003, Jim Hatfield wrote: [there was more] > >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 > >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 > But one question first: do you > ever get hits on the second rule 300? I would have thought > it very difficult for anyone to route a packet to you with > a non-routable destination address. Surely only your ISP > could do that? Do you trust your ISP? If the choice is between a rule that has no benefit providing everyone configured their stuff correctly, and leaving out the safety-net because you expect to not need it, that's a pretty simple choice. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Goth isn't dead, it's just lying very still and sucking its cheeks in.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0306201344090.13279-100000>