RFC: my firewall ruleset(s)

Giorgos Keramidas keramida at ceid.upatras.gr
Sun Oct 23 10:25:25 PDT 2005


On 2005-10-23 12:12, Chuck Swiger <cswiger at mac.com> wrote:
> You have anti-spoofing for the lookback, lo0 interface, but not for
> your other interfaces.  You should add anti-spoofing rules, and also
> block strict and loose source routing [1]:
>
> # Stop strict and loose source routing
> add deny log all from any to any ipoptions ssrr
> add deny log all from any to any ipoptions lsrr

Agreed.  Please note that this is ``an extra layer of protection''
though.  The relevant bits are already disabled through sysctl
settings, by default, and have to be explicitly enabled:

% flame:/home/keramida$ sysctl -a | fgrep accept_source
% net.inet.ip.accept_sourceroute: 0
% flame:/home/keramida$ sysctl -a | fgrep redirect
% net.inet.ip.redirect: 1
% net.inet.icmp.log_redirect: 1
% net.inet.icmp.drop_redirect: 1
% net.inet6.ip6.redirect: 1
% flame:/home/keramida$

I'm sure Chuck already knows this.  Just adding a minor note, to make
sure you Eric don't get the wrong impression that a firewall is an
absolute *requirement* to block these.



More information about the freebsd-questions mailing list