Date: Mon, 14 Apr 97 14:35:18 CDT From: Joe Greco <jgreco@solaria.sol.net> To: ipfilter@coombs.anu.edu.au, isp@freebsd.org Subject: IP Filter ... Message-ID: <199704141935.OAA07048@solaria.sol.net>
next in thread | raw e-mail | index | archive | help
I am tearing my hair out a little...
I've been using a slightly modified version of ipfw for quite some time
but have been looking at ipfilter as a solution for some scenarios.
I typically install fairly complex filters, and I can not find a way to
duplicate the functionality with ipfilter.
My problem seems to revolve around my inability to either control the
order of processing within the chain, or what could be considered a
minor deficiency in the filter rules: a lack of negation.
Let me explain what I want to be able to do:
My typical firewall is composed of three (potentially overlapping)
logical sets of directives: "bad stuff" trapping, "spoofing" trapping,
and "local policy" trapping.
If a packet fails any one of the three test stanzas, I want to drop it
hard on the floor.
For example... a router's configuration might look something like this
(LINK_IFC is the address of the point-to-point link to the outside world,
GATEWAY_IFC is the address of the router on the local net):
# ----- IP Bad Address Prevention Section -----
# Block RFC1597 "Private Internets" (inbound)
block in quick on ${LINK_IFC} from 10.0.0.0/8 to any
block in quick on ${LINK_IFC} from 172.16.0.0/12 to any
block in quick on ${LINK_IFC} from 192.168.0.0/16 to any
# Block other "Shouldn't Exist" Internets (inbound)
block in quick on ${LINK_IFC} from 127.0.0.0/8 to any
block in quick on ${LINK_IFC} from 0.0.0.0/8 to any
# Block RFC1597 "Private Internets" as Source Address (outbound)
block in quick on ${GATEWAY_IFC} from 10.0.0.0/8 to any
block in quick on ${GATEWAY_IFC} from 172.16.0.0/12 to any
block in quick on ${GATEWAY_IFC} from 192.168.0.0/16 to any
# Block RFC1597 "Private Internets" as Destination Address (outbound)
block in quick on ${GATEWAY_IFC} from any to 10.0.0.0/8
block in quick on ${GATEWAY_IFC} from any to 172.16.0.0/12
block in quick on ${GATEWAY_IFC} from any to 192.168.0.0/16
# Block other "Shouldn't Exist" Internets as Source Address (outbound)
block in quick on ${GATEWAY_IFC} from 127.0.0.0/8 to any
block in quick on ${GATEWAY_IFC} from 0.0.0.0/8 to any
# Block other "Shouldn't Exist" Internets as Destination Address (outbound)
block in quick on ${GATEWAY_IFC} from any to 127.0.0.0/8
block in quick on ${GATEWAY_IFC} from any to 0.0.0.0/8
#
# ----- IP Spoofing Prevention Section -----
# Block inbound pkts from addresses "on" my net (inbound)
# (add as many lines as needed)
block in on ${LINK_IFC} from ${ADDRESS_BLOCK} to any
# Disallow all Source Addresses (outbound)
block in on ${GATEWAY_IFC} from any to any
# Only allow outbound pkts from addresses "on" my net (outbound)
# (add as many lines as needed)
pass in on ${GATEWAY_IFC} from ${ADDRESS_BLOCK} to any
# Disallow all Destination Addresses (inbound)
block in on ${LINK_IFC} from any to any
# Only allow inbound pkts to addresses "on" my net (inbound)
# (add as many lines as needed)
pass in on ${LINK_IFC} from any to ${LINK_IFC}
pass in on ${LINK_IFC} from any to ${ADDRESS_BLOCK}
#
# ----- Local Policy Section -----
...
This is enough to demonstrate my problem, however.
The first section, "bad address" rejection, can be handled in a mildly
roundabout way by using "quick" to always terminate rule processing as
soon as we detect something bad.
The mess starts in the second section, with the second rule. (I am quite
aware that some of these rules overlap with previous rules.)
I stop all packets leaving my network, but then on the next line(s)
I explicitly allow packets with a source address that originated on
my net to pass. No problem.
Then I do the same thing for inbound destination addresses. I think that
I am still fine.
However, now, think about what any local policy additions would do to
the state of a packet that would otherwise have been blocked.
pass in on any port domain to any port domain
as a somewhat useless example. If someone on the local ethernet were
spoofing DNS, this would short-circuit the previous determination that
the packet was illegitimate. (Yes, I know I could qualify the addresses
in that line, but that gets complex rather quickly in a nontrivial
configuration).
I think what I am really looking for is a rule that simply checks the
current state of the packet at a given point in the rule processing list
and if it is set a particular way, terminates rule processing.
Or, maybe, better yet, some sort of "goto" conditional. I come from a
digital logic background and I can trivially translate a complex logic
equation of this sort into a decision tree, but one needs to have some
control...
I can sort of work around this in a limited fashion, for simple
configurations, but on a router where I have a dozen interfaces, and
I do not trust the customer on the other end of a wire, I would really
REALLY like to be able to write rules to do this sort of stuff without
it becoming a challenge in complexity.
Comments or ideas are welcome.
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704141935.OAA07048>