IPFW: combining "divert natd" with "keep-state"
David Wolfskill
david at catwhisker.org
Fri Jun 20 06:13:27 PDT 2003
>Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST)
>From: Jan Grant <Jan.Grant at bristol.ac.uk>
>To: Jim Hatfield <subscriber at insignia.com>
>Cc: freebsd-security at freebsd.org
>Subject: Re: IPFW: combining "divert natd" with "keep-state"
>> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0
>> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0
>> But one question first: do you
>> ever get hits on the second rule 300? I would have thought
>> it very difficult for anyone to route a packet to you with
>> a non-routable destination address. Surely only your ISP
>> could do that?
>Do you trust your ISP? If the choice is between a rule that has no
>benefit providing everyone configured their stuff correctly, and leaving
>out the safety-net because you expect to not need it, that's a pretty
>simple choice.
Indeed. I'm not using that particular set of rules, but I do block RFC
1918 netblocks on the external interface. And I do see attempts at
traffic:
Jun 19 02:14:28 janus /kernel: ipfw: 6000 Deny UDP 10.28.227.64:32769 63.193.123.122:53 in via dc0
Jun 19 02:14:57 janus last message repeated 18 times
I expect this is a result of a misconfiguration (or lack of configuration)
on someone's part. Regardless, I won't have anything to do with it.
(I also block packets with certain oddball options set, though I have
yet to see any.)
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Based on what I have seen to date, the use of Microsoft products is not
consistent with reliability. I recommend FreeBSD for reliable systems.
More information about the freebsd-security
mailing list