On 2005-10-23 12:12, Chuck Swiger <[EMAIL PROTECTED]> wrote: > You have anti-spoofing for the lookback, lo0 interface, but not for > your other interfaces. You should add anti-spoofing rules, and also > block strict and loose source routing [1]: > > # Stop strict and loose source routing > add deny log all from any to any ipoptions ssrr > add deny log all from any to any ipoptions lsrr
Agreed. Please note that this is ``an extra layer of protection'' though. The relevant bits are already disabled through sysctl settings, by default, and have to be explicitly enabled: % flame:/home/keramida$ sysctl -a | fgrep accept_source % net.inet.ip.accept_sourceroute: 0 % flame:/home/keramida$ sysctl -a | fgrep redirect % net.inet.ip.redirect: 1 % net.inet.icmp.log_redirect: 1 % net.inet.icmp.drop_redirect: 1 % net.inet6.ip6.redirect: 1 % flame:/home/keramida$ I'm sure Chuck already knows this. Just adding a minor note, to make sure you Eric don't get the wrong impression that a firewall is an absolute *requirement* to block these. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
