Date: Tue, 25 Jul 2000 19:39:41 -0400 From: Bill Fumerola <billf@chimesnet.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Mike Hoskins <mike@adept.org>, Stephen Montgomery-Smith <stephen@math.missouri.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725193941.P51462@jade.chc-chimes.com> In-Reply-To: <200007252128.OAA52048@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Jul 25, 2000 at 02:28:09PM -0700 References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> <200007252128.OAA52048@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 25, 2000 at 02:28:09PM -0700, Rodney W. Grimes wrote:
> And I'll cast my vote against -antispoof for the following reasons.
Ditto.
> a) The non-problem it attempts to solve can be handled by a correct
> ipfw rule set.
>
> b) These are RFC1918 addresses and have little to nothing to do with
> spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate
> globally routed IP addresses, usually the attack targets address as a
> source address in a packet. The flag should be -antirfc1918.
>
> c) It also totally ignores the fact that the problematic IP addresses
> are much more than RFC1918 and include the following:
> 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4
> that need to be dealt with properly and carefully at both interfaces
> in a firewall.
Speaking has someone who operates a packet magnet, spoofed addresses come
from _EVERYWHERE_ and there isn't a whole lot you can do to stop that
(short of checking the route back before allowing the packet, which is more
costly etc etc, cisco has something that does this).
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000725193941.P51462>