Date: Wed, 25 Oct 2000 23:37:17 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Andrew Penniman <apenniman@adelphia.net> Cc: Mike Hoskins <mike@adept.org>, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <20001025233717.Y75251@149.211.6.64.reflexcom.com> In-Reply-To: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net>; from apenniman@adelphia.net on Thu, Oct 26, 2000 at 12:34:57AM -0400 References: <Pine.BSF.4.21.0010250134510.47737-100000@snafu.adept.org> <002d01c03f06$18b2d260$29a63018@bur.adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 26, 2000 at 12:34:57AM -0400, Andrew Penniman wrote: > > On Tue, 24 Oct 2000, Crist J . Clark wrote: > > > > > > check-state > > > > allow ip from a.b.c.d to any keep-state > > > > allow ip from x.y.z.z/24 to any keep-state > > > Eep! You've left yourself _very_ vulnerable to spoofing. > > > > From the internal net you mean? If so, I agree. Given I'm the only > > person using my 'LAN', I've accepted that as a liveable risk. ;) > > The spoofing threat is external. An evil bad person could spoof your > external IP and have full access to your services by the first rule. They > could do the same by spoofing any of the x.y.z.z/24 addresses. > > Why would your external IP be talking to the internal system? I think I'd > get rid of that rule completely. > > To prevent spoofing on the x.y.z.z/24 network, add the following rule to > prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside > world: > > deny ip from x.y.z.z/24 to any via xx0 in > > where xx0 is your external interface. > > No? I think, allow ip from a.b.c.d to any keep-state out allow ip from x.y.z.z/24 to any keep-state in via yy0 Where yy0 is the internal interface, is better. Go for the explicit pass, default deny. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001025233717.Y75251>