[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] address-spoofing
 Date:  Thu, 19 May 2005 08:11:07 -0400
Thanks everyone for the clarification.

- Don

On 5/18/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 5/18/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> > Is address-spoofing protection built-in to the default rules in
> > m0n0wall or is this something I need to apply to the filters tab.
> >
> 
> Spoofing protection is built into the "behind the scenes" rules that
> you can't see in the rules screens (go to status.php to see them).
> 
> > ie..."Packets that claim to be coming from internal machines but are
> > actually coming in from the outside"
> >
> 
> those are dropped.
> 
> 
> > also "Internal packets that have external source adresses"
> >
> 
> Packets with source addresses that aren't within your LAN subnet are
> dropped outbound automatically as well.  In the case of a router and
> multiple subnets off of your LAN interface, the static routes required
> for those subnets to function exempt those networks from the outbound
> anti-spoofing in addition to the LAN subnet.
> 
> Also the "block private networks" box on the WAN interface page should
> be checked to drop RFC1918 private address space.
> 
> As mentioned earlier, there are also bogon lists, which typically
> include multicast address space, unassigned network blocks, private
> address space, and other reserved address space that you should never
> see coming in from the internet.  These change somewhat frequently
> though, so if you use them you'll need to make sure you keep them up
> to date.
> 
> -Chris
>