From owner-freebsd-questions Sat Jan 5 10:21:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id C103337B417 for ; Sat, 5 Jan 2002 10:21:41 -0800 (PST) Received: from barbish ([63.70.155.108]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Sat, 5 Jan 2002 13:24:15 -0500 From: "Joe & Fhe Barbish" To: Cc: "FBSD Questions" Subject: RE: How to Stop IP spoofing in ipfw Date: Sat, 5 Jan 2002 13:21:39 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020104161354.D1205@gohan.cjclark.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG So are you recommending keep-state for tcp over dynamic table using setup, established, frag? -----Original Message----- From: Crist J. Clark [mailto:cristjc@earthlink.net] Sent: Friday, January 04, 2002 7:14 PM To: Joe & Fhe Barbish Cc: FBSD Questions Subject: Re: How to Stop IP spoofing in ipfw On Fri, Jan 04, 2002 at 11:38:10AM -0500, Joe & Fhe Barbish wrote: > In IPFW how do I protect my self from IP spoofing? > Can you give me working rules? There is no way to absolutely stop IP spoofing since IP is unauthenticated. Generally, the best you can do is block spoofed addresses that might be dangerous. That is, if you have a gateway, and the networks, $net1:$mask1 and $net2:$mask2 live on the inside, you _always_ want to block stuff coming in the gateway's outer interface with those source addresses. Someone might be trying to do something nasty, ipfw add drop ip from $net1:$mask1 to any in via $oif ipfw add drop ip from $net2:$mask2 to any in via $oif Likewise, a good netizen does egress filtering to stop his network from being used to spoof and only passes allows expected traffic with expected source addresses out. So if you allow most anything out of your local network with keep-state, ipfw add pass tcp from $net1:$mask1 to any in via $iif keep-state ipfw add pass tcp from $net2:$mask2 to any in via $iif keep-state ipfw add pass udp from $net1:$mask1 to any in via $iif keep-state ipfw add pass udp from $net2:$mask2 to any in via $iif keep-state ipfw add drop ip from any to any in via $iif Would be doing egress filtering of spoofed addresses. These type of anti-spoofing precautions also apply to a standalone host or the gateway itself. It should not be accepting packets with its own address as the source address, ipfw add drop ip from $oip to any in via $oif (There is one exception to this rule when a machine needs to hear its own broadcasts.) Some people refer to using RFC1918 addresses or other reserved IP blocks as "spoofing" too. Blocking these is trivial and examples are in the default rc.network file. However, there is not a lot of reason to worry too much about blocking that kind of traffic anyway; it is not particularly dangerous. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message