diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-04-20 20:39:17 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-04-20 20:39:17 +0000 |
commit | 172e3474e212e39a9107af32f8bc199c2a63e0f1 (patch) | |
tree | 361179f119bcefc70615e7c4a2d3b3dbd95c0d1a /etc | |
parent | 38e5cd1e0150fb42feb06d7cfe923fa599b99586 (diff) | |
download | pfsense-172e3474e212e39a9107af32f8bc199c2a63e0f1.zip pfsense-172e3474e212e39a9107af32f8bc199c2a63e0f1.tar.gz |
Block traffic from source port 0 or destination port 0. Some crafty folks try to evade packet filters by using this type of trickery.
See http://www.securityfocus.com/archive/75/402099/30/0/threaded for more information.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e716016..4680db5 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2072,6 +2072,10 @@ function filter_rules_generate() { $ipfrules .= <<<EOD +# We use the mighty pf, we cannot be fooled. +block quick proto { tcp, udp } from any port = 0 to any +block quick proto { tcp, udp } from any to any port = 0 + # snort2c table <snort2c> persist block quick from <snort2c> to any label "Block snort2c hosts" |