From owner-freebsd-security Mon Nov 12 6: 0:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.tampabay.rr.com [65.32.1.39]) by hub.freebsd.org (Postfix) with ESMTP id 8897D37B405 for ; Mon, 12 Nov 2001 06:00:17 -0800 (PST) Received: from ezri (24129137hfc158.tampabay.rr.com [24.129.137.158]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with ESMTP id fACE0GO11932 for ; Mon, 12 Nov 2001 09:00:16 -0500 (EST) From: "Wade Majors" To: Subject: Filtering packets based on incoming address [ack. plaintext now] Date: Mon, 12 Nov 2001 08:59:47 -0500 Message-ID: <001201c16b82$4da9d1e0$9700a8c0@ezri> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When reading through http://www.sans.org/top20.htm the other day, I noticed G5. It talks about how packets can be "spoofed" to really target a machine on my network and not the gateway. I added these rules to my /etc/ipfw.rules file: # block spoofed packets going to private network add 00001 deny ip from any to 192.168.0.1/24 in recv fxp0 # block sppoofed packets going to cable modem add 00002 deny ip from any to 10.97.48.1 in recv fxp0 These are the only things before natd, which is rule 00050. In the few days I've had them in; it hasn't caught anything, so I'm going to assume this isn't breaking anything legitimate. The question is: is this the right way to check for this stuff, anyway? Should I even worry about this since my network using private IPs? -Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message