[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Don Munyak <don dot munyak at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] address-spoofing
 Date:  Wed, 18 May 2005 17:52:26 -0400
On 5/18/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> Is address-spoofing protection built-in to the default rules in
> m0n0wall or is this something I need to apply to the filters tab.

Spoofing protection is built into the "behind the scenes" rules that
you can't see in the rules screens (go to status.php to see them).

> ie..."Packets that claim to be coming from internal machines but are
> actually coming in from the outside"

those are dropped.

> also "Internal packets that have external source adresses"

Packets with source addresses that aren't within your LAN subnet are
dropped outbound automatically as well.  In the case of a router and
multiple subnets off of your LAN interface, the static routes required
for those subnets to function exempt those networks from the outbound
anti-spoofing in addition to the LAN subnet.

Also the "block private networks" box on the WAN interface page should
be checked to drop RFC1918 private address space.

As mentioned earlier, there are also bogon lists, which typically
include multicast address space, unassigned network blocks, private
address space, and other reserved address space that you should never
see coming in from the internet.  These change somewhat frequently
though, so if you use them you'll need to make sure you keep them up
to date.