Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Sep 1996 21:10:06 -0700 (PDT)
From:      Michael Dillon <michael@memra.com>
To:        inet-access@earth.com
Cc:        iap@vma.cc.nd.edu, linuxisp@jeffnet.org, freebsd-isp@freebsd.org, os2-isp@dental.stat.com
Subject:   Filtering spoofed SYN packets on Livingston's
Message-ID:  <Pine.BSI.3.93.960916210714.3265W-100000@sidhe.memra.com>
next in thread | raw e-mail | index | archive | help 

This is a fragment from the NANOG list archived at http://www.merit.edu

It will work on Livingston IRX routers as well as PM2e and PM2eR terminal
servers.

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com

----------- Fragment of message ---------------

create a filter "internet.out"
Contents:
three lines for each net block you have:

	permit 1.2.3.4/20 tcp
	permit 1.2.3.4/20 udp
	permit 1.2.3.4/20 icmp

final line to log (optional) MUST COME AFTER permit list for netblocks:
	deny log

The final line will have the router syslog a message any time someone
tries to send from an address outside your blocks, as defined in the
rest of the filter.  This is optional.  Keep in mind that the panix
attack would probably have flooded your syslog machine's disk space
with syslog info in this case.  Hardening that is an issue for another day,
however.

Apply this to all outbound ports on your gateway IRX routers.
You can do similar things with inbound ports on customer connections
or other internal routers if you desire to start filtering earlier
than your border gateway machines.

For example, if 1.2.3.0/21 is your block for your St Louis hub and
2.3.11.0/24 and 2.3.22.0/26 are customer nets there, then
the outbound interface for your St Louis IRX could have the
following filter on its outbound interface(s):
	permit 1.2.3.0/21 tcp
	permit 1.2.3.0/21 udp
	permit 1.2.3.0/21 icmp
	permit 2.3.11.0/24 tcp
	permit 2.3.11.0/24 udp
	permit 2.3.11.0/24 icmp
	permit 2.3.22.0/26 tcp
	permit 2.3.22.0/26 udp
	permit 2.3.22.0/26 icmp
	deny log

Alternatively you can filter on incoming ports with the same syntax.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960916210714.3265W-100000>