From owner-freebsd-security Tue Jul 25 19:47:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 709DA37BBFF for ; Tue, 25 Jul 2000 19:47:12 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id WAA08877; Tue, 25 Jul 2000 22:47:10 -0400 (EDT) (envelope-from wollman) Date: Tue, 25 Jul 2000 22:47:10 -0400 (EDT) From: Garrett Wollman Message-Id: <200007260247.WAA08877@khavrinen.lcs.mit.edu> To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000725201435.Q51462@jade.chc-chimes.com> References: <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu> <20000725201435.Q51462@jade.chc-chimes.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I've pretty much been consumed with the 2k lines of ip_fw.c recently > so I have a decent knowledge of how it works now (scary..), would this > be something we'd want to do within ipfw or as a seperate entity? ipfw *hack* *spit* *cough* OK, I've recovered now. It's probably easiest to do it in ipfw, since that gives you a mechanism to specify it on an interface-by-interface basis. Something like `deny from any to any !rpf-check via intX' (or, for the converse, `pass from any to any rpf-check via intX'). I think you need to be careful to do this only when packets arrive; if you do this check on departing packets you may trip over some legitimate traffic. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message