Date: Tue, 25 Jul 2000 17:12:28 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Mike Hoskins <mike@adept.org>, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <397E10CC.BF84B0E7@math.missouri.edu> References: <200007252128.OAA52048@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote: > > And I'll cast my vote against -antispoof for the following reasons. > > a) The non-problem it attempts to solve can be handled by a correct > ipfw rule set. Well, now that I understand a bit how dynamic rules work, I'm going to agree with this vote against my own idea. Those dynamic rules are really very very nice. But maybe a dynamic rule set should be put into the default rc.firewall - perhaps not replace simple, but an additional - maybe call it dynamic. Also, it would be good to add some comments to rc.firewall to explain this. > > b) These are RFC1918 addresses and have little to nothing to do with > spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate > globally routed IP addresses, usually the attack targets address as a > source address in a packet. The flag should be -antirfc1918. That is easily fixed. --- So my programming effort was perhaps a waste of time, except I got to see some of the inner workings of natd - truly beautiful. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397E10CC.BF84B0E7>