On Wed, May 13, 2015 at 10:29 PM, Karl O. Pinc <k...@meme.com> wrote:
> There is one more thing you can do to be a good neighbor. > The following rule foils people who would use you to mount > a sequence number spoofing attack on someone else. > (You would play the role of "A" in rfc1948.) > > block in on $ext_if proto tcp flags sa/sa return-rst unless you're an Internet Service Provider, or you are participating in some kind of peering arrangement, you should not be accepting any unsolicited packets from $ext_if, never mind forwarding them back out on $ext_if. for a typical home or business gateway, this is a sensible default to use: block in on $ext_if all then follow that with pass rules for the specific traffic you want to accept. -ken