From owner-freebsd-security  Mon Nov 12 13:54:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dreamflow.nl (dreamflow.nl [62.58.36.22])
	by hub.freebsd.org (Postfix) with SMTP id 5AE0337B405
	for <security@freebsd.org>; Mon, 12 Nov 2001 13:54:09 -0800 (PST)
Received: (qmail 25131 invoked by uid 1000); 12 Nov 2001 21:54:07 -0000
Date: Mon, 12 Nov 2001 22:54:07 +0100
From: Bart Matthaei <bart@dreamflow.nl>
To: security@freebsd.org
Subject: Re: Filtering packets based on incoming address [ack. plaintext now]
Message-ID: <20011112225407.A25048@heresy.dreamflow.nl>
Reply-To: Bart Matthaei <bart@dreamflow.nl>
References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote:
> Since most ISPs do absolutely no filtering of RFC1918 addresses
> anywhere, you positively _must_ do this. Try the following:

[snap]

> 'Private' addresses are only private if all the routers on the internet
> refuse to route them. Most do not. :(

Very true, but its possible for small home gateways to filter
on interface (allow everything from the private interface). In that
case, your not firewalling on ip level, so spoofing makes no
difference.

B.

--=20
Bart Matthaei                 bart@dreamflow.nl

/* Welcome to my world.. You just live in it */

--3MwIy2ne0vdjdPXF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE78ET/gcc6pR+tCegRAqFCAJ96LBAyWqbS+H8Eg72/mkyuQ1JkIACgnEWh
BmcMl5fPpvlO37pKPbVBbT4=
=1Zl5
-----END PGP SIGNATURE-----

--3MwIy2ne0vdjdPXF--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message