diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-04-20 20:36:39 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-04-20 20:36:39 +0000 |
commit | 66119c8a10668b807be6f720f928feb6b8db126c (patch) | |
tree | 28e33242029e9dec0c7b6facb6cc61f4db8a535d /etc | |
parent | 73924eeef08d6dfef60b469d9cdc47e1cb09690f (diff) | |
download | pfsense-66119c8a10668b807be6f720f928feb6b8db126c.zip pfsense-66119c8a10668b807be6f720f928feb6b8db126c.tar.gz |
Block traffic from source port 0 or destination port 0. Some crafty folks try to evade packet filters by using this type of trickery.
See http://www.securityfocus.com/archive/75/402099/30/0/threaded for more information.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 66b3d79..faedd7f 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2064,6 +2064,10 @@ function filter_rules_generate() { $ipfrules .= <<<EOD +# We use the mighty pf, we cannot be fooled. +block quick proto { tcp, udp } from any port = 0 to any +block quick proto { tcp, udp } from any to any port = 0 + # snort2c table <snort2c> persist block quick from <snort2c> to any label "Block snort2c hosts" |