Date: Mon, 12 Nov 2001 22:54:07 +0100 From: Bart Matthaei <bart@dreamflow.nl> To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112225407.A25048@heresy.dreamflow.nl> In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800 References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote: > Since most ISPs do absolutely no filtering of RFC1918 addresses > anywhere, you positively _must_ do this. Try the following: [snap] > 'Private' addresses are only private if all the routers on the internet > refuse to route them. Most do not. :( Very true, but its possible for small home gateways to filter on interface (allow everything from the private interface). In that case, your not firewalling on ip level, so spoofing makes no difference. B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ET/gcc6pR+tCegRAqFCAJ96LBAyWqbS+H8Eg72/mkyuQ1JkIACgnEWh BmcMl5fPpvlO37pKPbVBbT4= =1Zl5 -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011112225407.A25048>