From owner-freebsd-security Mon Nov 12 13:42:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by hub.freebsd.org (Postfix) with SMTP id A4D2037B416 for ; Mon, 12 Nov 2001 13:42:56 -0800 (PST) Received: (qmail 51181 invoked by uid 1001); 12 Nov 2001 21:43:18 -0000 Date: Mon, 12 Nov 2001 13:43:17 -0800 From: Greg White To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112134317.A46767@greg.cex.ca> Mail-Followup-To: security@freebsd.org References: <001201c16b82$4da9d1e0$9700a8c0@ezri> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon Nov 11/12/01, 2001 at 08:59:47AM -0500, Wade Majors wrote: > Should I even worry about this since my network using private IPs? Since most ISPs do absolutely no filtering of RFC1918 addresses anywhere, you positively _must_ do this. Try the following: 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily). 2. Get to a host on an outside network. 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where the 192.168.0.0 matches your internal network, and 'ip.of.gate.way' matches your host's external interface. 4. Sit back and enjoy unfettered access to all those internal hosts. 'Private' addresses are only private if all the routers on the internet refuse to route them. Most do not. :( -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message