Date: Tue, 25 Jul 2000 14:28:09 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: mike@adept.org (Mike Hoskins) Cc: stephen@math.missouri.edu (Stephen Montgomery-Smith), freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007252128.OAA52048@gndrsh.dnsmgr.net> In-Reply-To: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> from Mike Hoskins at "Jul 25, 2000 12:50:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:
>
> > We could add another option to natd that would disallow
> > any outgoing packets sent to an unregistered ip address,
> > and disallow any incoming packets from or to an unregistered
> > ip address. Call it -antispoof.
>
> If it makes it easier for everyone (and I don't see how it wouldn't), I'll
> cast my vote for -antispoof.
And I'll cast my vote against -antispoof for the following reasons.
a) The non-problem it attempts to solve can be handled by a correct
ipfw rule set.
b) These are RFC1918 addresses and have little to nothing to do with
spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate
globally routed IP addresses, usually the attack targets address as a
source address in a packet. The flag should be -antirfc1918.
c) It also totally ignores the fact that the problematic IP addresses
are much more than RFC1918 and include the following:
0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4
that need to be dealt with properly and carefully at both interfaces
in a firewall.
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007252128.OAA52048>