Jason Dixon wrote:
> On Jun 21, 2005, at 6:24 PM, Bill Swisher wrote:
>
>> After reading over the pf-faq.pdf file I have, at this time, one
>> question. The home/small office example assumes that the internet
>> lives off of "ep0". In my case this is partially true. What really
>> is there is a router running on the network 192.168.2.* (my internal
>> network is the standard 192.168.1.*) and if I use the command "block
>> drop in quick on $ext if from $priv_nets" and it's corresponding
>> output block I'd pretty much be sitting deaf and mute, as far as the
>> rest of the computing world goes near as I can figure.
>>
>> I like that router! It does the PPoE for me, along with minimal
>> blocking. I don't want to toss it.
>>
>> Anyone have a way around this?
>
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> !192.168.2.0/24 }"
or just drop these lines altogether.
This is much more a "feel good" line than something that adds a serious
measure of security.
There are lots of other addresses that nothing should be coming from.
Stuff will come from them anyway. Trying to itemize them is more
hazzardous than it is worth (they will likely get allocated later), and
even then, there is no reason a spoofed address can't claim to come from
a perfectly valid IP address. Thus, your protection from spoofed
addresses will most likely have to come from other places. These lines
adds little.
Nick.
