Date: Sat, 5 Jan 2002 13:21:39 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: <cjclark@alum.mit.edu> Cc: "FBSD Questions" <questions@FreeBSD.ORG> Subject: RE: How to Stop IP spoofing in ipfw Message-ID: <LPBBIGIAAKKEOEJOLEGOEEGLCLAA.barbish@a1poweruser.com> In-Reply-To: <20020104161354.D1205@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
So are you recommending keep-state for tcp over
dynamic table using setup, established, frag?
-----Original Message-----
From: Crist J. Clark [mailto:cristjc@earthlink.net]
Sent: Friday, January 04, 2002 7:14 PM
To: Joe & Fhe Barbish
Cc: FBSD Questions
Subject: Re: How to Stop IP spoofing in ipfw
On Fri, Jan 04, 2002 at 11:38:10AM -0500, Joe & Fhe Barbish wrote:
> In IPFW how do I protect my self from IP spoofing?
> Can you give me working rules?
There is no way to absolutely stop IP spoofing since IP is
unauthenticated. Generally, the best you can do is block spoofed
addresses that might be dangerous. That is, if you have a gateway, and
the networks, $net1:$mask1 and $net2:$mask2 live on the inside, you
_always_ want to block stuff coming in the gateway's outer interface
with those source addresses. Someone might be trying to do something
nasty,
ipfw add drop ip from $net1:$mask1 to any in via $oif
ipfw add drop ip from $net2:$mask2 to any in via $oif
Likewise, a good netizen does egress filtering to stop his network
from being used to spoof and only passes allows expected traffic with
expected source addresses out. So if you allow most anything out of
your local network with keep-state,
ipfw add pass tcp from $net1:$mask1 to any in via $iif keep-state
ipfw add pass tcp from $net2:$mask2 to any in via $iif keep-state
ipfw add pass udp from $net1:$mask1 to any in via $iif keep-state
ipfw add pass udp from $net2:$mask2 to any in via $iif keep-state
ipfw add drop ip from any to any in via $iif
Would be doing egress filtering of spoofed addresses.
These type of anti-spoofing precautions also apply to a standalone
host or the gateway itself. It should not be accepting packets with
its own address as the source address,
ipfw add drop ip from $oip to any in via $oif
(There is one exception to this rule when a machine needs to hear its
own broadcasts.)
Some people refer to using RFC1918 addresses or other reserved IP
blocks as "spoofing" too. Blocking these is trivial and examples are
in the default rc.network file. However, there is not a lot of reason
to worry too much about blocking that kind of traffic anyway; it is
not particularly dangerous.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOEEGLCLAA.barbish>