Re: ipfw and anti-spoofing rules
From: patpro ~ patrick proniewski (patpro_at_boleskine.patpro.net)
Date: 05/19/04
- Next message: Christoph Rupprecht: "CFLAG optimization?"
- Previous message: Ditch Brodie: "ipfw and anti-spoofing rules"
- In reply to: Ditch Brodie: "ipfw and anti-spoofing rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 19 May 2004 01:13:58 +0200
In article <jGwqc.14268$zO3.12737@newsread2.news.atl.earthlink.net>,
"Ditch Brodie" <dbroadie@msn.com> wrote:
> Some told me to add the following lines to my ipfw ruleset.
> They have a DSL connection, my server uses dial-up.
>
> $fwcmd add deny all from 10.0.0.0/8 to any via dc0
> $fwcmd add deny all from 172.16.0.0/12 to any via dc0
> $fwcmd add deny all from 192.168.0.0/16 to any via dc0
> $fwcmd add deny all from 169.254.0.0/16 to any via dc0
> $fwcmd add deny all from 192.0.2.0/24 to any via dc0
> $fwcmd add deny all from 224.0.0.0/4 to any via dc0
> $fwcmd add deny all from 240.0.0.0/4 to any via dc0
>
> So I did. Then I realized that since I use dial-up shouldn't
> my setup read tun0 instead of dc0?
sure, the interface should be the one you're using on the internet (tun0
in your case)
> Can anyone share more
> info on this? What does this exactly do?
the rules above will prevent people to connect to your box using spoofed
IP.
If you do a `whois IP` with IP = one of the IP listed above, you should
have some details.
These IP cannot be used on the internet, so nobady should connect to
your machine using such IP.
ex:
whois 224.0.0.0
...
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
...
patpro
-- je cherche un poste d'admin UNIX/Mac http://patpro.net/cv.php
- Next message: Christoph Rupprecht: "CFLAG optimization?"
- Previous message: Ditch Brodie: "ipfw and anti-spoofing rules"
- In reply to: Ditch Brodie: "ipfw and anti-spoofing rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
