From owner-freebsd-net  Sun Apr 14  3: 4:59 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mars-gw.morning.ru (ns.morning.ru [195.161.98.5])
	by hub.freebsd.org (Postfix) with ESMTP
	id 188C037B400; Sun, 14 Apr 2002 03:04:50 -0700 (PDT)
Received: (from root@localhost)
	by mars-gw.morning.ru (8.11.5/8.11.5) id g3EA4lC05175;
	Sun, 14 Apr 2002 18:04:47 +0800 (KRAST)
Date: Sun, 14 Apr 2002 18:04:47 +0800
From: Igor M Podlesny <poige@morning.ru>
To: net@FreeBSD.ORG
Cc: freebsd-isp@FreeBSD.ORG
Subject: patch -- An ingress filter (RFC2827)
Message-ID: <20020414180447.A93954@mars-gw.morning.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


Hello!

I'd like to know your opinion about this patch

  http://www.morning.ru/~poige/patchzone/ingressfiltering.patch

which is mine attempt to implement an ingress filter being inspired by
RFC2827 "Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing".

  (http://www.ietf.org/rfc/rfc2827.txt)

It should be mentioned IMHO that this code makes another one in ip_input.c a
kind of redundant -- I mean code checking/blocking the 127/8 network "on
wire". BTW, I suggest if not removing it completely then adding (sys)logging
into, -- 127/8-spoofing certainly should be logged. :)

Another thing to pay an attention to: I deem it'd be better if a such filter
was built-in into ip_fw.c, allowing such syntax for ipfw(8):

  deny log ip from any to any in via fxp0 spoofed

But AFAIS in ip_fw.h:

#define IP_FW_F_IN      0x00000100
...
#define IP_FW_F_DME     0x40000000      /* destination = me */

#define IP_FW_F_MASK    0x7FFFFFFF      /* All possible flag bits mask */

and u_int32_t       fw_flg;

there is no free space for any additional flags...

So, I was a bit unsure whether should I expand fw_flg to u_int64_t, and do
any other extensions. For now I decided just to wrote something like a
draft, test it (it seems to be working ;), and asking you, people, for your
comments/ideas on it.

P.S. A bit more info on this patch is at http://www.morning.ru/~poige/patchzone/

-- 
Igor M Podlesny a.k.a. Poige
http://WwW.MorninG.RU/~poige

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message