IPFW: combining "divert natd" with "keep-state"

[Jan Grant]

On Fri, 20 Jun 2003, Jim Hatfield wrote:

[there was more]

> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0
> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0

>  But one question first: do you
> ever get hits on the second rule 300? I would have thought
> it very difficult for anyone to route a packet to you with
> a non-routable destination address. Surely only your ISP
> could do that?

Do you trust your ISP? If the choice is between a rule that has no
benefit providing everyone configured their stuff correctly, and leaving
out the safety-net because you expect to not need it, that's a pretty
simple choice.



-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
Goth isn't dead, it's just lying very still and sucking its cheeks in.