by redmail.netbsd.org with SMTP; 27 Sep 1999 01:01:50 -0000
Date: Mon, 27 Sep 1999 11:00:30 +1000 (EST)
From: "Simon J. Gerraty" <sjg@quick.com.au>
Message-Id: <199909270100.LAA26546@zen.quick.com.au>
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
Cc: sjg@quick.com.au, tech-security@netbsd.org
Subject: Re: ipfilter question / vulnerability?
References: <19990924112653.A490@acheron.middleboro.ma.us> <99092410273400.13318@mogador.nettoll.com> <19990926162832.A441@acheron.middleboro.ma.us>

>The packets I'd want to reject are those that come in over my cable modem
>from the local net. If any of my neighbors are secretly evil, they could

I'm _not_ using NAT, but I'm not use it should matter.
I have the following in my ipf.cfg:

pass in quick on ep0 from any to any
pass in quick on lo0 from any to any
# let them talk to ppp0 only
pass in on ppp0 from any to 203.12.250.130/32
#
block in log quick on ppp0 all with ipopts
block in log quick proto tcp all with short
# check for spoofing
block in log quick on ppp0 from 203.12.250.0/24 to any
block in log quick on ppp0 from 127.0.0.0/8 to any
block in log quick on ppp0 from 10.0.0.0/8 to any
block in log quick on ppp0 from 192.168.0.0/16 to any
block in log quick on ppp0 from 172.16.0.0/20 to any
..
..

203.12.250.0 is my network.  

--sjg