Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 4 Jul 1998 19:22:47 -0700 (PDT)
From:      "Jan B. Koum " <jkb@best.com>
To:        Louie <louie@sunra.csci.unt.edu>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw with ppp -alias setup
Message-ID:  <Pine.BSF.3.96.980704191956.21725A-100000@shell6.ba.best.com>
In-Reply-To: <199807050208.VAA22240@sunra.csci.unt.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Jul 1998, Louie wrote:

>On Fri, 3 Jul 1998, Jan B. Koum wrote:
> 
>> ># ipfw list
>> >01000 allow ip from any to any via lo0
>> >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8
>> >01110 deny log ip from 192.168.0.0/16 to any in recv tun0
>>                             ^^^^^^
>> 
>> 	Aren't you using 192.168.1.0/16 as you mentioned above?
>
>Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side.
>Spoof prevention.
> 

	Well.. spoofed packets will try to pretend that they are coming
from your computer. So, in reality you don't need rule 1210, 1310 and
above 1110, but instead only need 192.168.1.0/24 since that is what one
would try to spoof with.

>> >01210 deny log ip from 172.16.0.0/12 to any in recv tun0
>> >01310 deny log ip from 10.0.0.0/8 to any in recv tun0
>> >01410 allow tcp from any to any in recv tun0 established
>
>> 	AFAICT the rules look ok. Really paranoid people might just take
>> out icmp (think Phrack issue 51 article 6). But yeah, everything looks
>> fine. Add the "deny log" rule before last one if you want.
>
>I'll have to check that out.
	
	Do that. :) Also do note that this type of data tunneling can be
done with protocols other then icmp.


-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980704191956.21725A-100000>