Date: Tue, 6 Feb 2001 13:47:20 -0800 (PST) From: Luigi Rizzo <rizzo@aciri.org> To: richw@webcom.com (Rich Wales) Cc: rizzo@aciri.org, julian@elischer.org, patrick@netzuno.com, freebsd-net@FreeBSD.ORG, julian@FreeBSD.ORG Subject: Re: Dueling ARP replies and firewall filtering Message-ID: <200102062147.f16LlKQ44847@iguana.aciri.org> In-Reply-To: <20010206212535.24026.richw@wyattearp.stanford.edu> from Rich Wales at "Feb 6, 2001 1:43: 5 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Another thought about the "dueling ARP reply" issue. people, it's a minor bug, i am looking into fixing it, just be patient. Securitywise, also remember that all bridges or switches can 'leak' packets to interfaces other than the one where the designated receiver is. cheers luigi > In one way, I suppose it's not a serious problem, because even if > the "wrong" hardware address gets cached, packets still get through, > and communication is not cut off. > > On the other hand, it =may= be a problem from a security standpoint. > Suppose I want to protect myself from spoofing attacks, by ensuring > that traffic from a given IP address only uses a specific interface. > > In my case, since I =know= that my desktop is connected to my bridge > via the bridge's "rl0" NIC, any traffic arriving on the bridge's "xl0" > NIC (my link to the Internet at large) -- but claiming to be from the > desktop's IP address -- is clearly a sign of an impostor trying to > break into my network. > > Now, if I were using a conventional (non-bridge) router, I could pro- > tect myself from such spoof attacks by tailoring my firewall rules to > match the receiving interface, as well as the IP address. I =think= > I should be able to do the same with a bridging router too, but will > this work if the desktop is using the "wrong" MAC address to contact > the bridge? > > Stated another way, if my desktop thinks that the bridge's MAC address > is the address of its "xl0" NIC, does this mean that traffic arriving > on the bridge from the desktop will appear (for firewall purposes) to > be arriving via "xl0" -- even though it really came in via "rl0"? > > Julian, when the firewall code (ipfw or ipfilter, I don't really care > which) is finally integrated into the netgraph bridge code, will this > issue be taken into account? > > Rich Wales richw@webcom.com http://www.webcom.com/richw/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102062147.f16LlKQ44847>