Date: Thu, 26 Oct 2000 02:40:30 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: cjclark@alum.mit.edu Cc: Andrew Penniman <apenniman@adelphia.net>, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <Pine.BSF.4.21.0010260235190.51431-100000@snafu.adept.org> In-Reply-To: <20001025233717.Y75251@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Oct 2000, Crist J . Clark wrote: > > To prevent spoofing on the x.y.z.z/24 network, add the following rule to > > prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside > > world: > > > > deny ip from x.y.z.z/24 to any via xx0 in That's rule 65535. ;) > allow ip from a.b.c.d to any keep-state out > allow ip from x.y.z.z/24 to any keep-state in via yy0 > Where yy0 is the internal interface, is better. Go for the explicit > pass, default deny. Thanks, this is what I needed. I'd submitted my rules for inspection before without much feedback, I'm glad this came up again. :) -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010260235190.51431-100000>