Subject: Re: something strange with mbuf length...
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-net
Date: 04/22/2006 12:05:48
On Sat, 22 Apr 2006 11:37:53 -0400, "Steven M. Bellovin"
<smb@cs.columbia.edu> wrote:
> Here's my rule set:
>
> pass in quick on lo0 from any to any
>
> block in quick from any to any port = 7911
> block in quick from any to any port = 8010
> block out quick from any to any port = 5222
> pass in all
>
> 7911 is because I sometimes play with OMAPI, 8010 is to block the file
> transfer ability of pkgsrc/chat/psi, and 5222 is to work around a bad
> misfeature in earlier versions of psi.
>
> When I'm using ppp over my EVDO card, I add something like these rules in
> an ip-up script and delete them in ip-down; the purpose is to prevent the
> machine from emitting packets with an incorrect IP address over that link.
>
> block return-icmp out log on ppp0 from any to any
> block return-rst out log on ppp0 proto tcp from any to any
> pass out on ppp0 from 70.217.43.30 to any
>
> The exact IP address changes, of course. (This isn't the thread to
> describe the problems several of us have had with EVDO cards; Greg Troxel
> had the insight that this would help. While it clearly isn't the whole
> explanation, it has helped a lot. Contact me offlist for details.)
>
> That's it; there are no other rules, interfaces, NAT, etc.
>
Of course, I got it wrong; I have an ipf6.conf file, too. It's identical
to the first section above. I don't add any ipv6 rules for the second
part because my card doesn't support IPv6; if I try to enable it, I get
Protocol-Reject for 'IPv6 Control Protovol' (0x8057) received
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb