Date: Fri, 20 Jun 2003 06:13:22 -0700 (PDT) From: David Wolfskill <david@catwhisker.org> To: Jan.Grant@bristol.ac.uk, subscriber@insignia.com Cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" Message-ID: <200306201313.h5KDDMGI066097@bunrab.catwhisker.org> In-Reply-To: <Pine.GSO.4.44.0306201344090.13279-100000@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST) >From: Jan Grant <Jan.Grant@bristol.ac.uk> >To: Jim Hatfield <subscriber@insignia.com> >Cc: freebsd-security@freebsd.org >Subject: Re: IPFW: combining "divert natd" with "keep-state" >> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >> But one question first: do you >> ever get hits on the second rule 300? I would have thought >> it very difficult for anyone to route a packet to you with >> a non-routable destination address. Surely only your ISP >> could do that? >Do you trust your ISP? If the choice is between a rule that has no >benefit providing everyone configured their stuff correctly, and leaving >out the safety-net because you expect to not need it, that's a pretty >simple choice. Indeed. I'm not using that particular set of rules, but I do block RFC 1918 netblocks on the external interface. And I do see attempts at traffic: Jun 19 02:14:28 janus /kernel: ipfw: 6000 Deny UDP 10.28.227.64:32769 63.193.123.122:53 in via dc0 Jun 19 02:14:57 janus last message repeated 18 times I expect this is a result of a misconfiguration (or lack of configuration) on someone's part. Regardless, I won't have anything to do with it. (I also block packets with certain oddball options set, though I have yet to see any.) Peace, david -- David H. Wolfskill david@catwhisker.org Based on what I have seen to date, the use of Microsoft products is not consistent with reliability. I recommend FreeBSD for reliable systems.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306201313.h5KDDMGI066097>