Abdullah Ibn Hamad Al-Marri wrote: [...] >> I think ICMP and UDP can have their originating address forged, so this >> will effectively construct a true remote triggerable DoS... > > Thank you Li, > > I set antispoof in my pf.conf for the nic, would these rule help or > not? do you have suggestions about the values? I run bind on the > servers.
No. antispoof is for other use, to put it simply, let's say that it's something like "Don't bother to handle a packet which should not come from the specified interface". An example of use might be, say, you have two NICs: em0 and em1. em0 is connected to the Internet, and em1 is connected to a private subnet 192.168.0.0/24. The two network are not inter-connected. antispoof on em1 means that if em0 receives a packet which claims to be from 192.168.0.0/24, then drop it. ICMP and UDP protocols are, however, not designed for you to be able to distinguish whether source address is forged. Thus, using state table can be a true DoS sometimes, attacker can just exhaust the table resource and render your network non-responsive. So be careful... Cheers, _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
