From owner-freebsd-security  Mon Nov 12 12:21:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dreamflow.nl (dreamflow.nl [62.58.36.22])
	by hub.freebsd.org (Postfix) with SMTP id 7773C37B416
	for <security@freebsd.org>; Mon, 12 Nov 2001 12:21:24 -0800 (PST)
Received: (qmail 24889 invoked by uid 1000); 12 Nov 2001 20:21:20 -0000
Date: Mon, 12 Nov 2001 21:21:20 +0100
From: Bart Matthaei <bart@dreamflow.nl>
To: security@freebsd.org
Subject: Re: Filtering packets based on incoming address [ack. plaintext now]
Message-ID: <20011112212120.A24857@heresy.dreamflow.nl>
Reply-To: Bart Matthaei <bart@dreamflow.nl>
References: <001201c16b82$4da9d1e0$9700a8c0@ezri>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote:
> These are the only things before natd, which is rule 00050.

Thats a good thing. Its wise to set those rules before you pass any        =
                                                                           =
 =20
packet to natd.                                                            =
                                                                           =
 =20
                                                                           =
                                                                           =
 =20
> In the few days I've had them in; it hasn't caught anything, so I'm
> going to assume this isn't breaking anything legitimate. The question
> is: is this the right way to check for this stuff, anyway? Should I even
> worry about this since my network using private IPs?

The chance of people using this technique on a home-gateway isnt very
big, nevertheless, securing yourself from it is a good thing. The way
you deny access to your services (set up for your private net) from
the outside world depends on your technique of firewalling.

I set a default rule on deny, and allow everything coming in from my
private network's interface (so not with ip classes).

If you allow services for your internal net by allowing certain
ipclasses, its wise to block packets coming from those ipclasses received
by the external interface.
(deny all from $ipclass to any recv $external_if)

Hope this helps ;)

Regards,

B.
                                                                           =
                                                                           =
 =20
--=20
Bart Matthaei                 bart@dreamflow.nl

/* Welcome to my world.. You just live in it */

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE78C9Agcc6pR+tCegRAm10AJ45seRA38hPPyaqI7hk/nXrN5HwhgCeL5P7
2AmROa0JlUlUvT5q7EouujM=
=MBkY
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message