From owner-freebsd-security Tue Jul 25 1: 4:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 7FDC937B9BB for ; Tue, 25 Jul 2000 01:04:26 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725080422.HAFH11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 01:04:22 -0700 Message-ID: <397D4A06.9CFAF1FA@math.missouri.edu> Date: Tue, 25 Jul 2000 03:04:22 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397C8F30.8DFCE0E9@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am coming to the conclusion that the only reasonably easy way to fix this is that the antispoofing should be done by the program natd. We could add another option to natd that would disallow any outgoing packets sent to an unregistered ip address, and disallow any incoming packets from or to an unregistered ip address. Call it -antispoof. What do you guys think? I think it would be quite an easy job - I would be happy to do it, but if it isn't going to be accepted, I don't want to make the effort. Stephen -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message