On Sat, 22 Apr 2006 11:37:53 -0400, "Steven M. Bellovin"
<smb@cs.columbia.edu> wrote:


> Here's my rule set:
> 
> 	pass in quick on lo0 from any to any
> 
> 	block in quick from any to any port = 7911
> 	block in quick from any to any port = 8010
> 	block out quick from any to any port = 5222
> 	pass in all
> 
> 7911 is because I sometimes play with OMAPI, 8010 is to block the file
> transfer ability of pkgsrc/chat/psi, and 5222 is to work around a bad
> misfeature in earlier versions of psi.
> 
> When I'm using ppp over my EVDO card, I add something like these rules in
> an ip-up script and delete them in ip-down; the purpose is to prevent the
> machine from emitting packets with an incorrect IP address over that link.
> 
> 	block return-icmp out log on ppp0 from any to any
> 	block return-rst out log on ppp0 proto tcp from any to any
> 	pass out on ppp0 from 70.217.43.30 to any
> 
> The exact IP address changes, of course.  (This isn't the thread to
> describe the problems several of us have had with EVDO cards; Greg Troxel
> had the insight that this would help.  While it clearly isn't the whole
> explanation, it has helped a lot.  Contact me offlist for details.)
> 
> That's it; there are no other rules, interfaces, NAT, etc.
> 
Of course, I got it wrong; I have an ipf6.conf file, too.  It's identical
to the first section above.  I don't add any ipv6 rules for the second
part because my card doesn't support IPv6; if I try to enable it, I get

	Protocol-Reject for 'IPv6 Control Protovol' (0x8057) received


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb