Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE

[avalon () COOMBS ANU EDU AU (Darren Reed)]

There's a perl script called "mkfilters" distributed with IP filter which
will generate the appropriate list of configuration lines to prevent any
spoofed packets.  This is only recommended for use as a baseline to build
from, however.  The script does attempt to handle ppp interfaces, although
dynamic allocation of ppp numbers (both interface and IP#) can hamper any
efforts to do this sanely.

example output:

#
# The following routes should be configured, if not already:
#
# route add 10.1.1.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on le0 all head 250
block out from 127.0.0.0/8 to any group 250
block out from any to 127.0.0.0/8 group 250
block out from any to 10.1.1.1/32 group 250
pass in on le0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 10.1.1.1/32 to any group 200

where le0 is 10.1.1.1.

Darren