RFC: my firewall ruleset(s)
Giorgos Keramidas
keramida at ceid.upatras.gr
Sun Oct 23 10:25:25 PDT 2005
On 2005-10-23 12:12, Chuck Swiger <cswiger at mac.com> wrote:
> You have anti-spoofing for the lookback, lo0 interface, but not for
> your other interfaces. You should add anti-spoofing rules, and also
> block strict and loose source routing [1]:
>
> # Stop strict and loose source routing
> add deny log all from any to any ipoptions ssrr
> add deny log all from any to any ipoptions lsrr
Agreed. Please note that this is ``an extra layer of protection''
though. The relevant bits are already disabled through sysctl
settings, by default, and have to be explicitly enabled:
% flame:/home/keramida$ sysctl -a | fgrep accept_source
% net.inet.ip.accept_sourceroute: 0
% flame:/home/keramida$ sysctl -a | fgrep redirect
% net.inet.ip.redirect: 1
% net.inet.icmp.log_redirect: 1
% net.inet.icmp.drop_redirect: 1
% net.inet6.ip6.redirect: 1
% flame:/home/keramida$
I'm sure Chuck already knows this. Just adding a minor note, to make
sure you Eric don't get the wrong impression that a firewall is an
absolute *requirement* to block these.
More information about the freebsd-questions
mailing list