From owner-freebsd-security Thu Aug 12 12:33:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id EB32314D54 for ; Thu, 12 Aug 1999 12:33:41 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id NAA63946; Thu, 12 Aug 1999 13:33:40 -0600 (MDT) Date: Thu, 12 Aug 1999 13:33:40 -0600 (MDT) From: Nick Rogness To: Tom Brown Cc: "'Paul Hart'" , "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw In-Reply-To: <01BEE4A6.75DBDD80@beetroot.securify.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Tom Brown wrote: > > > what rules should I add to my ipfw ruleset to block out icmp > > > floods and smurf attacts, etc thanks. > > > > For smurf attacks, I've done it 2 different ways before, assuming > > your local net is 192.168.0.0/24: > > > > # Permit traffic from local net 192.168.0.0/24 to broadcast addr. > > ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 > > # Deny log traffic from outside local net to local broadcast > > ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 > > Doesn't that just stop you from being used as a smurf amplifier? I think > the original poster wanted to know how to defend against being a smurf > victim, which is much more difficult. The best resources I've seen for No this DENIES anyone from outside trying to hit the broadcast on your local net. How are they suppose to hit your broadcast if it is blocked at your gateways? I was assuming that this FreeBSD machine IS the 'gateway' to his internal network and there was no other path into his local net. In the example I gave de0 is the outside interface to the world and his entire LAN is behind that. That will stop Smurf & Fraggle attacks from outside to his Local LAN. This attack should be blocked on ALL outside gateways or your local net will get nailed. I'm not concerned with anyone from the local LAN smurf attacking the local LAN because they will be affected just as well. However, you could add ipfw entries to DETECT this activity, but not block it. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message