[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FAQ 3.3

To: "'nick@holland-consulting.net'" <nick@holland-consulting.net>,"Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: FAQ 3.3
From: Adam Getchell <AdamG@hrrm.ucdavis.edu>
Date: Thu, 1 May 2003 17:55:31 -0700

Nice work on the new FAQ!

I have a suggestion for the "Example Firewall For Home or Small Office". The
example defines the $PRIVNET macro to filter out RFC1918 traffic. Couldn't
the "antispoof" keyword be used instead? Especially since your ruleset
already passes lo0 by default.

Here's a diff of proposed changes for example1.html. If I've got this wrong
I'd be pleased to hear of it.

54d53
<      PRIVNETS="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
57c56
< The first two lines are interface names.  PRIVNETS is a list of
---
> The first two lines are interface names. We'll use "antispoof" for
101a101,103
> Note that these are "quick" rules -- if there is a match, the packet 
> is dropped and the processing stops here.
> 
106,107c108
<      block in quick on $EXT from $PRIVNET to any
<      block out quick on $EXT from any to $PRIVNET
---
>      antispoof for $EXT
110,112c111
< Note that these are "quick" rules -- if there is a match, the packet is <
dropped and the processing stops here. < 
---
> The antispoof keyword makes this easy!


***************************	
* Adam Getchell					AdamG@hrrm.ucdavis.edu
* System Architect/Programmer			(530) 752-1584
* Human Resources Information Systems	http://www.hr.ucdavis.edu/
***************************	
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu

Prev by Date: Re: IBM eServer x305 Multi-disk Boot Problem (3.3-release)
Next by Date: Recall: FAQ 3.3
Prev by thread: Re: FAQ 3.3
Next by thread: Re: FAQ 3.3
Index(es):
- Date
- Thread