by redmail.netbsd.org with SMTP; 4 Nov 1999 19:23:51 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id OAA07601;
	Thu, 4 Nov 1999 14:15:28 -0500 (EST)
Date: Thu, 4 Nov 1999 14:15:27 -0500
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: James Webster <James3838@tsi-net.com>
Cc: tech-security@netbsd.org
Subject: Re: Rejecting connections from specific domains
Message-ID: <19991104141527.B464@acheron.middleboro.ma.us>
References: <19991102141901.A19033@antioche.lip6.fr> <020e01bf256b$1dfc8500$eff83b9d@redmond.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <020e01bf256b$1dfc8500$eff83b9d@redmond.corp.microsoft.com>

On Tue, Nov 02, 1999 at 11:47:31AM -0800, James Webster wrote:

> I was wondering if I can use IPF to reject connection attempts to the
> machine running IPF or is it just used to reject connections relayed through
> the proxy?

You can use ipf to do just about anything. There are two things to be aware
of, however.

1) NAT translates inboound packets before ipf can get at them, so you need to
be aware of address issues. Specifically, you can't just say "kill all packets
coming in on this interface that are addressed to 10.x.x.x" and have it work,
since all NATted packets will have been modified before ipf sees them. There
are ways around this, like, for instance, having a default-deny strategy. I'd
personally like to be able to optionally filter packets based on originating
interface and do filtering before NAT kicks in. I think I've read that there's
some reason for why things are the way they are, although I didn't manage to
find the reason, and I've not looked at the code to try to figure out why...

2) If the machine doesn't have a static IP address, you'll need to do a little
more work.

Anyway, the documentation is your friend. Look in /usr/share/examples/ipf.

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  I m m a n e n t i z e
awake ? sleep : dream;  http://acheron.ne.mediaone.net  t h e E s c h a t o n