Date: Tue, 9 Oct 2001 03:48:32 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: Another firewall question - spoofing prevention and syntax Message-ID: <20011009034832.M350@blossom.cjclark.org> In-Reply-To: <20011008233219.C589@acadia.ne.mediaone.net>; from leblanc%2Bfreebsd@smtp.ne.mediaone.net on Mon, Oct 08, 2001 at 11:32:20PM -0400 References: <20011008233219.C589@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 08, 2001 at 11:32:20PM -0400, Louis LeBlanc wrote:
> Another firewall question, not for the faint of heart:
>
> Is the following valid?
>
> # Refuse incoming packets pretending to be from the external address.
> ipfw add deny log all from $IPADDR to any via (null) in
>
> # Refuse incoming packets claiming to be from a Class A, B or C
> private network
> ipfw add deny all from $CLASS_A to any via (null) in
> ipfw add deny all from $CLASS_B to any via (null) in
> ipfw add deny all from $CLASS_C to any via (null) in
>
>
> I can't find any reference to the use of (null) as the interface name
> to prevent spoofing, but the tool I use online does this
> automagically.
>
> Any ideas?
"(null)" is not a valid interface specification. However,
# Refuse incoming packets pretending to be from the external address.
ipfw add deny log all from $IPADDR to any in
# Refuse incoming packets claiming to be from a Class A, B or C
private network
ipfw add deny all from $CLASS_A to any in
ipfw add deny all from $CLASS_B to any in
ipfw add deny all from $CLASS_C to any in
Is perfectly vaild.
--
Crist J. Clark cjclark@alum.mit.edu
cjclark@jhu.edu
cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009034832.M350>