OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with natd and simple firewall
From: Rodney W. Grimes (freebsdgndrsh.dnsmgr.net)
Date: Tue Jul 25 2000 - 16:28:09 CDT

> On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote:
>
> > We could add another option to natd that would disallow
> > any outgoing packets sent to an unregistered ip address,
> > and disallow any incoming packets from or to an unregistered
> > ip address. Call it -antispoof.
>
> If it makes it easier for everyone (and I don't see how it wouldn't), I'll
> cast my vote for -antispoof.

And I'll cast my vote against -antispoof for the following reasons.

a) The non-problem it attempts to solve can be handled by a correct
    ipfw rule set.

b) These are RFC1918 addresses and have little to nothing to do with
    spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate
    globally routed IP addresses, usually the attack targets address as a
    source address in a packet. The flag should be -antirfc1918.

c) It also totally ignores the fact that the problematic IP addresses
    are much more than RFC1918 and include the following:
        0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4
    that need to be dealt with properly and carefully at both interfaces
    in a firewall. 

-- 
Rod Grimes - KD7CAX  CN85sl - (RWG25)               rgrimesgndrsh.dnsmgr.net

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message