by redmail.netbsd.org with SMTP; 24 Sep 1999 16:28:32 -0000
	by mogador.nettoll.com (8.8.8/8.8.8) id KAA13336;
	Fri, 24 Sep 1999 10:27:34 -0700 (PDT)
From: mouss@tfz.net
Organization: NetToll
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>,
        tech-security@netbsd.org
Subject: Re: ipfilter question / vulnerability?
Date: Fri, 24 Sep 1999 10:08:18 -0700
Content-Type: text/plain
References: <19990924112653.A490@acheron.middleboro.ma.us>
MIME-Version: 1.0
Message-Id: <99092410273400.13318@mogador.nettoll.com>
Content-Transfer-Encoding: 8bit

On Fri, 24 Sep 1999, Mason Loring Bliss wrote:
>While I can block source-routed packets
> destined for 10.x.x.x, I can't figure out how to block packets that are
> from outside the firewall but locally originated and that point to the ten
> net.

What do you mean bye "from outside but locally originated" ?

under normal conditions, a packet sent by a client program residing on the FW
and destined to an internal host will have its source address equal to one of
the addresses of the internal interface.

So, if you mean that you want to reject a packet sent by a client program
residing on the firewall and destined to an internal host, then use an output
rule (block out) from the addresses of the firewall to the local net. 


Regards,

mouss