From owner-freebsd-security  Tue Jul 25 16:39:52 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6])
	by hub.freebsd.org (Postfix) with ESMTP id EF7E137BB80
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 16:39:45 -0700 (PDT)
	(envelope-from billf@jade.chc-chimes.com)
Received: by jade.chc-chimes.com (Postfix, from userid 1001)
	id 9319F1C64; Tue, 25 Jul 2000 19:39:41 -0400 (EDT)
Date: Tue, 25 Jul 2000 19:39:41 -0400
From: Bill Fumerola <billf@chimesnet.com>
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: Mike Hoskins <mike@adept.org>,
	Stephen Montgomery-Smith <stephen@math.missouri.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
Message-ID: <20000725193941.P51462@jade.chc-chimes.com>
References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> <200007252128.OAA52048@gndrsh.dnsmgr.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200007252128.OAA52048@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Jul 25, 2000 at 02:28:09PM -0700
X-Operating-System: FreeBSD 3.3-STABLE i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Jul 25, 2000 at 02:28:09PM -0700, Rodney W. Grimes wrote:

> And I'll cast my vote against -antispoof for the following reasons.

Ditto.

> a)  The non-problem it attempts to solve can be handled by a correct
>     ipfw rule set.
> 
> b)  These are RFC1918 addresses and have little to nothing to do with
>     spoofing.  RFC1918 != spoof.  Spoofing occurs when using ligitmate
>     globally routed IP addresses, usually the attack targets address as a
>     source address in a packet.  The flag should be -antirfc1918.
> 
> c)  It also totally ignores the fact that the problematic IP addresses
>     are much more than RFC1918 and include the following:
> 	0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4
>     that need to be dealt with properly and carefully at both interfaces
>     in a firewall.

Speaking has someone who operates a packet magnet, spoofed addresses come
from _EVERYWHERE_ and there isn't a whole lot you can do to stop that
(short of checking the route back before allowing the packet, which is more
costly etc etc, cisco has something that does this).

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message