From owner-freebsd-security Wed Dec 8 14:22:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 037811564E for ; Wed, 8 Dec 1999 14:22:08 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id RAA13653 for ; Wed, 8 Dec 1999 17:22:05 -0500 (EST) Message-Id: <4.2.2.19991208171410.00aa4db0@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 08 Dec 1999 17:22:04 -0500 To: freebsd-security@FreeBSD.ORG From: "Scott I. Remick" Subject: Re: What kind of attack is this? In-Reply-To: <19991209083140.A7509@atdot.dotat.org> References: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:31 AM 12/9/99 +1030, Mark Newton wrote: >Get a FreeBSD box with two ethernet interfaces. Enable ipfw. Start >with rules that look like this: > > ipfw add pass udp from any GOODPORT to any in via OUTSIDE-INTERFACE > ipfw add deny udp from any to any in via OUTSIDE-INTERFACE > ipfw add pass all from any to any > >Of course, the ruleset you end up with will be more comprehensive >than that, but it should give you an idea. Look at /etc/rc.firewall >for more info. Yeah, I understand all that, believe it or not :). I actually have the system built up partway (FreeBSD 3.3, 2 NICs working, ssh the only service, firewall built into kernel, etc) but it's not quite so easy to just drop it into place. I need to get everyone off static IP and onto DHCP so I can then chop up our class C into subnets so we can actually do routing, then move some server's IPs around so they end up in the proper subnets, and I even want to drop in a 3rd NIC and have a 3-homed host. But things that involve change and aren't Microsoft solutions move at a snail's pace around here... but I digress... I am hoping to figure out a way to do exactly that with the Pipeline. I actually have a bunch of filters on it that I already created but they don't overlap the way these do and I'm unclear whether the Pipeline will interpret these filters the way I need it to. But your first 2 rules are exactly what I had in mind, and I know how to do them... I suppose I could just put them in place and see if it works. >Alternatively buy a Cisco -- Ascends are toy routers, IMHO, with >somewhat limited packet filtering abilities. They won't be doing that anytime soon. As it was, I had to obtain a no-cost system using loose used inventory so that I could build up the FreeBSD box destined to be a firewall. What I'm hoping for is a temporary band-aid solution for this one particular event, and to understand the type of attack better, and also nail the jerk and have his toys taken away from him. ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message