Date: Tue, 9 Oct 2001 03:48:32 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: Another firewall question - spoofing prevention and syntax Message-ID: <20011009034832.M350@blossom.cjclark.org> In-Reply-To: <20011008233219.C589@acadia.ne.mediaone.net>; from leblanc%2Bfreebsd@smtp.ne.mediaone.net on Mon, Oct 08, 2001 at 11:32:20PM -0400 References: <20011008233219.C589@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 08, 2001 at 11:32:20PM -0400, Louis LeBlanc wrote: > Another firewall question, not for the faint of heart: > > Is the following valid? > > # Refuse incoming packets pretending to be from the external address. > ipfw add deny log all from $IPADDR to any via (null) in > > # Refuse incoming packets claiming to be from a Class A, B or C > private network > ipfw add deny all from $CLASS_A to any via (null) in > ipfw add deny all from $CLASS_B to any via (null) in > ipfw add deny all from $CLASS_C to any via (null) in > > > I can't find any reference to the use of (null) as the interface name > to prevent spoofing, but the tool I use online does this > automagically. > > Any ideas? "(null)" is not a valid interface specification. However, # Refuse incoming packets pretending to be from the external address. ipfw add deny log all from $IPADDR to any in # Refuse incoming packets claiming to be from a Class A, B or C private network ipfw add deny all from $CLASS_A to any in ipfw add deny all from $CLASS_B to any in ipfw add deny all from $CLASS_C to any in Is perfectly vaild. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009034832.M350>