From owner-freebsd-security  Mon Jun 24 07:58:55 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA27350
          for security-outgoing; Mon, 24 Jun 1996 07:58:55 -0700 (PDT)
Received: from parkplace.cet.co.jp (parkplace.cet.co.jp [202.32.64.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA27324;
          Mon, 24 Jun 1996 07:58:49 -0700 (PDT)
Received: from localhost (michaelh@localhost) by parkplace.cet.co.jp (8.7.5/CET-v2.1) with SMTP id XAA07216; Mon, 24 Jun 1996 23:58:11 +0900 (JST)
Date: Mon, 24 Jun 1996 23:58:10 +0900 (JST)
From: Michael Hancock <michaelh@cet.co.jp>
To: Ollivier Robert <roberto@keltia.freenix.fr>
cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl,
        hackers@freebsd.org, security@freebsd.org, ache@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <199606241143.NAA09908@keltia.freenix.fr>
Message-ID: <Pine.SV4.3.93.960624235426.7164A-100000@parkplace.cet.co.jp>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Maybe someone should ask pu.ru to filter outgoing non-pu.ru packets.  Some
ISPs do this.

On Mon, 24 Jun 1996, Ollivier Robert wrote:

> It seems that Jordan K. Hubbard said:
> > How do you install such things on a cisco 2500? :-) Seriously, if
> > there's a way then I can get someone from cisco to help me out, but I
> > first need to know that it's even a reasonable request.
> 
> If you  use Serial0 for  the  Internet and  A.B.C.0/24 in your internal
> network, use something like the following:
> 
> !
> ! Refuses loose/strict source routed packets
> !
> no ip source-route
> !
> interface Serial0
> ip address A.B.C.254 255.255.255.0
> ip access-g 100 in
> ip access-g 101 out
> 
> ... 
> 
> ! access list for incoming packets
> ! should fix most of the new attacks when a spoofed packet
> ! is trying to come from the outside with a source address
> ! from our network which is impossible.
> !
> no access-list 100
> !
> ! Rejects our own addresses C-Class A.B.C.0/24
> !
> access-list 100 deny ip  A.B.C.0 0.0.0.255 any
> !
> ! Rejects EPITA B-Class 163.5.0.0/16
> !
> access-list 100 deny ip  163.5.0.0 0.0.255.255 any
> !
> ! Rejects special addresses
> !
> access-list 100 deny ip  127.0.0.0 0.255.255.255 any
> !
> ! RFC-1918 IANA reserved A/B/C classes
> ! A-Class 10.0.0.0/8
> !
> access-list 100 deny ip  10.0.0.0 0.255.255.255 any
> !
> ! B-Classes 172.16.0.0/12
> !
> access-list 100 deny ip  172.16.0.0 0.15.255.255 any
> !
> ! C-Classes 192.168.0.0/16
> !
> access-list 100 deny ip  192.168.0.0 0.0.255.255 any
> !
> ! Accepts the rest
> !
> access-list 100 permit ip any A.B.C.0 0.0.0.255
> 
> -- 
> Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996
>