Re: Is this a hole in my firewall?

From: Jonathon McKitrick (jcm_at_FreeBSD-uk.eu.org)
Date: 11/28/04

  • Next message: Rem Roberti: "Custom Kernel"
    Date: Sun, 28 Nov 2004 04:48:47 +0000
    To: Giorgos Keramidas <keramida@ceid.upatras.gr>
    
    

    On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
    : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
    : you also have rule 00200 in there.

    Hmmm.... here's a run after having the laptop running for a bit. I don't
    see why 200 doesn't cover the case either.

    root@neptune:~# ipfw show
    00100 0 0 check-state
    00200 6709 1277079 allow ip from me to any keep-state out xmit tun0
    00300 2093 645797 allow ip from any to any keep-state out xmit tun0
    00400 91 7308 deny tcp from any to any in recv tun0 established
    00500 43 6869 allow ip from any to any via vr0
    00600 52 3080 allow ip from any to any via lo0
    00700 0 0 deny ip from any to 127.0.0.0/8
    00800 0 0 deny ip from 127.0.0.0/8 to any
    00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup
    01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12
    01100 11 1371 deny log logamount 100 ip from any to any
    65535 0 0 deny ip from any to any
    root@neptune:~#

    jm

    --
    My other computer is your Windows box.
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
    

  • Next message: Rem Roberti: "Custom Kernel"

    Relevant Pages

    • Re: Destination address spoofing?
      ... > internet that will accept such packets and send them to the next hop. ... There are no ISP router that _should_ accept them, but I've seen packets ... > block out quick on tun0 from any to 192.168.0.0/16 ... You probably wont notice much if you dont use these kind of filtering, ...
      (comp.security.firewalls)
    • Re: Destination address spoofing?
      ... > internet that will accept such packets and send them to the next hop. ... There are no ISP router that _should_ accept them, but I've seen packets ... > block out quick on tun0 from any to 192.168.0.0/16 ... You probably wont notice much if you dont use these kind of filtering, ...
      (comp.security.firewalls)
    • Re: how to restart the firewall when PPP link is restarted
      ... I use ISDN and I have never seen tun0 go down whilst ... a remote gateway and is able to pass packets" AFAICS. ... tun0: flags=8051mtu 1500 ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Destination address spoofing?
      ... >other than that they are reserved by IANA for private internets. ... internet that will accept such packets and send them to the next hop. ... block out quick on tun0 from any to 192.168.0.0/16 ...
      (comp.security.firewalls)
    • Re: Destination address spoofing?
      ... >other than that they are reserved by IANA for private internets. ... internet that will accept such packets and send them to the next hop. ... block out quick on tun0 from any to 192.168.0.0/16 ...
      (comp.security.firewalls)