From owner-freebsd-security@FreeBSD.ORG  Fri Jun 20 05:49:27 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C3A2F37B401
	for <freebsd-security@freebsd.org>;
	Fri, 20 Jun 2003 05:49:27 -0700 (PDT)
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE71F43F3F
	for <freebsd-security@freebsd.org>;
	Fri, 20 Jun 2003 05:49:26 -0700 (PDT)
	(envelope-from Jan.Grant@bristol.ac.uk)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Fri, 20 Jun 2003 13:49:20 +0100
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 19TLIU-0005Ej-00;
          Fri, 20 Jun 2003 13:47:18 +0100
Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: Jim Hatfield <subscriber@insignia.com>
In-Reply-To: <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com>
Message-ID: <Pine.GSO.4.44.0306201344090.13279-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Jan Grant <Jan.Grant@bristol.ac.uk>
cc: freebsd-security@freebsd.org
Subject: Re: IPFW: combining "divert natd" with "keep-state"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2003 12:49:28 -0000

On Fri, 20 Jun 2003, Jim Hatfield wrote:

[there was more]

> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0
> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0

>  But one question first: do you
> ever get hits on the second rule 300? I would have thought
> it very difficult for anyone to route a packet to you with
> a non-routable destination address. Surely only your ISP
> could do that?

Do you trust your ISP? If the choice is between a rule that has no
benefit providing everyone configured their stuff correctly, and leaving
out the safety-net because you expect to not need it, that's a pretty
simple choice.



-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
Goth isn't dead, it's just lying very still and sucking its cheeks in.