On Wed, May 13, 2015 at 10:29 PM, Karl O. Pinc <k...@meme.com> wrote:
> There is one more thing you can do to be a good neighbor.
> The following rule foils people who would use you to mount
> a sequence number spoofing attack on someone else.
> (You would play the role of "A" in rfc1948.)
>
> block in on $ext_if proto tcp flags sa/sa return-rst
unless you're an Internet Service Provider, or you are
participating in some kind of peering arrangement, you
should not be accepting any unsolicited packets from
$ext_if, never mind forwarding them back out on $ext_if.
for a typical home or business gateway, this is a sensible
default to use:
block in on $ext_if all
then follow that with pass rules for the specific traffic
you want to accept.
-ken
