OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with natd and simple firewall
From: Garrett Wollman (wollmankhavrinen.lcs.mit.edu)
Date: Tue Jul 25 2000 - 19:07:02 CDT


<<On Tue, 25 Jul 2000 19:39:41 -0400, Bill Fumerola <billfchimesnet.com> said:

> (short of checking the route back before allowing the packet, which is more
> costly etc etc, cisco has something that does this).

Yep. Great feature, and it wouldn't be at all hard to implement in
FreeBSD (it should be pretty obvious how to add the check in
ip_forward()). Of course, even if you do that, you still need to
filter out the ``bad'' addresses:

Extended IP access list no-martians-dos-ai
    deny ip 0.0.0.0 0.255.255.255 any (66130 matches)
    deny ip 127.0.0.0 0.255.255.255 any (235210 matches)
    deny ip 192.0.2.0 0.0.0.255 any (2 matches)
    deny ip 10.0.0.0 0.255.255.255 any (1435097 matches)
    deny ip 172.16.0.0 0.15.255.255 any (686656 matches)
    deny ip 192.168.0.0 0.0.255.255 any (1461597 matches)
    deny ip 169.254.0.0 0.0.255.255 any (92100 matches)
    deny ip 224.0.0.0 15.255.255.255 any (653608 matches)
    deny ip any 128.52.0.255 0.0.255.0 (6266340 matches)
    [private stuff deleted]
    permit ip any any (82311204 matches)

(This is a bit misleading: I'm fairly certain that the last counter
has already wrapped, so the proportion is actually around a tenth of a
percent.)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollmanlcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message