Date: Sun, 23 Oct 2005 20:23:43 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Chuck Swiger <cswiger@mac.com> Cc: Eric F Crist <ecrist@secure-computing.net>, freebsd questions <freebsd-questions@freebsd.org> Subject: Re: RFC: my firewall ruleset(s) Message-ID: <20051023172343.GA1290@flame.pc> In-Reply-To: <435BB665.70001@mac.com> References: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net> <435BB665.70001@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-10-23 12:12, Chuck Swiger <cswiger@mac.com> wrote: > You have anti-spoofing for the lookback, lo0 interface, but not for > your other interfaces. You should add anti-spoofing rules, and also > block strict and loose source routing [1]: > > # Stop strict and loose source routing > add deny log all from any to any ipoptions ssrr > add deny log all from any to any ipoptions lsrr Agreed. Please note that this is ``an extra layer of protection'' though. The relevant bits are already disabled through sysctl settings, by default, and have to be explicitly enabled: % flame:/home/keramida$ sysctl -a | fgrep accept_source % net.inet.ip.accept_sourceroute: 0 % flame:/home/keramida$ sysctl -a | fgrep redirect % net.inet.ip.redirect: 1 % net.inet.icmp.log_redirect: 1 % net.inet.icmp.drop_redirect: 1 % net.inet6.ip6.redirect: 1 % flame:/home/keramida$ I'm sure Chuck already knows this. Just adding a minor note, to make sure you Eric don't get the wrong impression that a firewall is an absolute *requirement* to block these.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051023172343.GA1290>