Date: Mon, 12 Nov 2001 21:21:20 +0100 From: Bart Matthaei <bart@dreamflow.nl> To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112212120.A24857@heresy.dreamflow.nl> In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 References: <001201c16b82$4da9d1e0$9700a8c0@ezri>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote:
> These are the only things before natd, which is rule 00050.
Thats a good thing. Its wise to set those rules before you pass any
packet to natd.
> In the few days I've had them in; it hasn't caught anything, so I'm
> going to assume this isn't breaking anything legitimate. The question
> is: is this the right way to check for this stuff, anyway? Should I even
> worry about this since my network using private IPs?
The chance of people using this technique on a home-gateway isnt very
big, nevertheless, securing yourself from it is a good thing. The way
you deny access to your services (set up for your private net) from
the outside world depends on your technique of firewalling.
I set a default rule on deny, and allow everything coming in from my
private network's interface (so not with ip classes).
If you allow services for your internal net by allowing certain
ipclasses, its wise to block packets coming from those ipclasses received
by the external interface.
(deny all from $ipclass to any recv $external_if)
Hope this helps ;)
Regards,
B.
--
Bart Matthaei bart@dreamflow.nl
/* Welcome to my world.. You just live in it */
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE78C9Agcc6pR+tCegRAm10AJ45seRA38hPPyaqI7hk/nXrN5HwhgCeL5P7
2AmROa0JlUlUvT5q7EouujM=
=MBkY
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112212120.A24857>