Date: Tue, 25 Jul 2000 14:28:09 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: mike@adept.org (Mike Hoskins) Cc: stephen@math.missouri.edu (Stephen Montgomery-Smith), freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007252128.OAA52048@gndrsh.dnsmgr.net> In-Reply-To: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> from Mike Hoskins at "Jul 25, 2000 12:50:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > > We could add another option to natd that would disallow > > any outgoing packets sent to an unregistered ip address, > > and disallow any incoming packets from or to an unregistered > > ip address. Call it -antispoof. > > If it makes it easier for everyone (and I don't see how it wouldn't), I'll > cast my vote for -antispoof. And I'll cast my vote against -antispoof for the following reasons. a) The non-problem it attempts to solve can be handled by a correct ipfw rule set. b) These are RFC1918 addresses and have little to nothing to do with spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate globally routed IP addresses, usually the attack targets address as a source address in a packet. The flag should be -antirfc1918. c) It also totally ignores the fact that the problematic IP addresses are much more than RFC1918 and include the following: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 that need to be dealt with properly and carefully at both interfaces in a firewall. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007252128.OAA52048>