tcp blackhole and ident
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sat Jan 31 06:05:42 PST 2004
On Sat, Jan 31, 2004 at 07:46:39AM -0600, J.D. Bronson wrote:
> At 07:39 AM 1/31/2004, Matthew Seaman wrote:
> >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP
> >reject whenever it detects an incoming connection on port 113 as part
> >of your firewall configuration. Eg. something like:
> >
> > 01600 reset tcp from any to me dst-port 113 setup
> Thanks...but I have quite a robust Cisco firewall in place ahead of the
> freebsd machines...so I dont -need- to run ipfw...Hmmm...
>
> Actually since the Cisco is dropping any packets already, I wonder if
> 'blackhole' is simply a stupid idea in the first place...
Well, gee. I'm sure Cisco PIX is capable of sending a 'reject' rather
than just dropping the packet. Even so, don't dismiss running packet
filters locally on your FreeBSD boxes. Think "defense in depth" -- or
how many things have to go wrong until there are bad consequences.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040131/7c8073ed/attachment-0001.bin
More information about the freebsd-questions
mailing list