From owner-freebsd-security Thu Oct 26 2:40:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 9310037B4C5 for ; Thu, 26 Oct 2000 02:40:54 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 1000) id DE2A19EE01; Thu, 26 Oct 2000 02:40:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id DC20B9B001; Thu, 26 Oct 2000 02:40:30 -0700 (PDT) Date: Thu, 26 Oct 2000 02:40:30 -0700 (PDT) From: Mike Hoskins To: cjclark@alum.mit.edu Cc: Andrew Penniman , freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: <20001025233717.Y75251@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Oct 2000, Crist J . Clark wrote: > > To prevent spoofing on the x.y.z.z/24 network, add the following rule to > > prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside > > world: > > > > deny ip from x.y.z.z/24 to any via xx0 in That's rule 65535. ;) > allow ip from a.b.c.d to any keep-state out > allow ip from x.y.z.z/24 to any keep-state in via yy0 > Where yy0 is the internal interface, is better. Go for the explicit > pass, default deny. Thanks, this is what I needed. I'd submitted my rules for inspection before without much feedback, I'm glad this came up again. :) -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message