On Fri, Jan 23, 2004 at 07:07:28PM +1100, Alan Harper wrote: : On Wed, Jan 21, 2004 at 01:24:33PM -0700, James Burton wrote: : > : > A week ago, I installed SNORT on the iMac I use as a server, and the : > past two days I've been getting alerts of suspicious traffic : > ""BAD-TRAFFIC loopback traffic" : > : > A file referenced in the alert explains that this happens when someone : > spoofs an internal IP and uses it to snoop for exploitable ports. : > : > The file also says that to combat this, one should employ an "egress : > filter." Does anyone know how to set this up on OSX? One would think : > that this would be built-in since it seems to be a common avenue of : > attack. : : I've never heard of this, but its quite common for firewalls to : specifically block IP ranges which are wrong for that interface. Some : sort of ipfw script which only permitted packets on your internal : subnet to come via the appropriate interface would have a desireable : secure affect. Hope this sets you in the right direction Egress filtering: block outgoing connections from invalid internal source addresses. -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/