Date: Tue, 14 Dec 1999 17:29:28 +1030 From: Mark Newton <newton@atdot.dotat.org> To: Pierre Chiu <pccb@yahoo.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why use a Firewall? Message-ID: <19991214172928.A80831@atdot.dotat.org> In-Reply-To: <3855E2B4.59CDD2FD@yahoo.com>; from pccb@yahoo.com on Tue, Dec 14, 1999 at 01:24:52AM -0500 References: <3855E2B4.59CDD2FD@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 14, 1999 at 01:24:52AM -0500, Pierre Chiu wrote:
> I don't think firewall can stop spoofed ip.
> It can stop non-routable ip like (192.168.1.1), but if your ip is
> 24.112.1.1 and you spoofed it as 24.118.1.1, I doubt firewall can detect
> it.
Of course a firewall can do that.
Let's say your internal network is 192.82.222.0/24; You can prevent
spoofed packets by applying a rule at your border which rejects
inbound packets which claim 192.83.222.0/24 as a source. In Cisco
parlance:
interface serial0
ip access-group 101 in
ip access-group 102 out
!
access-list 101 deny ip 192.82.222.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 102 permit ip 192.82.222.0 0.0.0.255 any
access-list 102 deny ip any any
These rules will prevent your users from spoofing other networks and
other networks from spoofing you (but won't stop users on your
networks from spoofing systems on your network). Tune to suit (e.g.:
include multicast addresses if it suits your fancy, block other things
which offend you, etc).
- mark
--------------------------------------------------------------------
I tried an internal modem, newton@atdot.dotat.org
but it hurt when I walked. Mark Newton
----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 -----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991214172928.A80831>