Date: Tue, 25 Jul 2000 11:53:52 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <397DC61F.18BF726E@math.missouri.edu> References: <397C8F30.8DFCE0E9@math.missouri.edu> <397D4A06.9CFAF1FA@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------E46AA3F16434CABF8E806092 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Montgomery-Smith wrote: > > I am coming to the conclusion that the only reasonably > easy way to fix this is that the antispoofing should > be done by the program natd. > > We could add another option to natd that would disallow > any outgoing packets sent to an unregistered ip address, > and disallow any incoming packets from or to an unregistered > ip address. Call it -antispoof. > Well I went ahead and did it. The natd program and the libalias packages are so nicely written that it was an easy programming change. It will actually be more work to rewrite the man pages. I enclose the patch. It is easy to apply: cd /usr/src (or whereever your source code is kept) patch < natd-libalias.patch cd lib/libalias make make install cd ../../sbin/natd make make install Now add -antispoof to the list of options for natd. I am not really in a position to actually test this code properly - any feedback would be most welcome. This patch is to FreeBSD 4.1RC. For me this is the first time I have done anything like this. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu --------------E46AA3F16434CABF8E806092 Content-Type: text/plain; charset=us-ascii; name="natd-libalias.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="natd-libalias.patch" diff -ur lib-orig/libalias/alias.c lib/libalias/alias.c --- lib-orig/libalias/alias.c Tue Jul 25 10:54:58 2000 +++ lib/libalias/alias.c Tue Jul 25 10:43:54 2000 @@ -1305,6 +1305,21 @@ } +/* Unregistered address ranges */ + +/* 10.0.0.0 -> 10.255.255.255 */ +#define UNREG_ADDR_A_LOWER 0x0a000000 +#define UNREG_ADDR_A_UPPER 0x0affffff + +/* 172.16.0.0 -> 172.31.255.255 */ +#define UNREG_ADDR_B_LOWER 0xac100000 +#define UNREG_ADDR_B_UPPER 0xac1fffff + +/* 192.168.0.0 -> 192.168.255.255 */ +#define UNREG_ADDR_C_LOWER 0xc0a80000 +#define UNREG_ADDR_C_UPPER 0xc0a8ffff + + int PacketAliasIn(char *ptr, int maxpacketsize) { @@ -1328,6 +1343,41 @@ if (ntohs(pip->ip_len) > maxpacketsize || (pip->ip_hl<<2) > maxpacketsize) return PKT_ALIAS_IGNORED; + + if (packetAliasMode & PKT_ALIAS_ANTISPOOF) + { + u_long addr; + int iclass; + + iclass = 0; + addr = ntohl(pip->ip_src.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + + iclass = 0; + addr = ntohl(pip->ip_dst.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + + } iresult = PKT_ALIAS_IGNORED; if ( (ntohs(pip->ip_off) & IP_OFFMASK) == 0 ) @@ -1376,21 +1426,6 @@ } - -/* Unregistered address ranges */ - -/* 10.0.0.0 -> 10.255.255.255 */ -#define UNREG_ADDR_A_LOWER 0x0a000000 -#define UNREG_ADDR_A_UPPER 0x0affffff - -/* 172.16.0.0 -> 172.31.255.255 */ -#define UNREG_ADDR_B_LOWER 0xac100000 -#define UNREG_ADDR_B_UPPER 0xac1fffff - -/* 192.168.0.0 -> 192.168.255.255 */ -#define UNREG_ADDR_C_LOWER 0xc0a80000 -#define UNREG_ADDR_C_UPPER 0xc0a8ffff - int PacketAliasOut(char *ptr, /* valid IP packet */ int maxpacketsize /* How much the packet data may grow @@ -1416,6 +1451,26 @@ if (ntohs(pip->ip_len) > maxpacketsize || (pip->ip_hl<<2) > maxpacketsize) return PKT_ALIAS_IGNORED; + + if (packetAliasMode & PKT_ALIAS_ANTISPOOF) + { + u_long addr; + int iclass; + + iclass = 0; + addr = ntohl(pip->ip_dst.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + } addr_save = GetDefaultAliasAddress(); if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) diff -ur lib-orig/libalias/alias.h lib/libalias/alias.h --- lib-orig/libalias/alias.h Tue Jul 25 10:54:58 2000 +++ lib/libalias/alias.h Tue Jul 25 10:50:27 2000 @@ -157,12 +157,22 @@ and PacketAliasOut() are reversed */ #define PKT_ALIAS_REVERSE 0x80 +/* If PKT_ALIAS_ANTISPOOF is set, then PacketAliasIn() and PacketAliasOut() + will stop spoofing from or to unregistered ports - so PacketAliasIn will + not allow packets sent to or from unregistered ports, and PacketAliasOut + will not allow packets to unregistered ports. If packets are found + to be spoofed, no aliasing is performed, and PacketAliasIn() and + PacketAliasOut() return PKT_ALIAS_ANTISPOOFED. The calling program + should drop these packets. */ +#define PKT_ALIAS_ANTISPOOF 0x100 + /* Return Codes */ #define PKT_ALIAS_ERROR -1 #define PKT_ALIAS_OK 1 #define PKT_ALIAS_IGNORED 2 #define PKT_ALIAS_UNRESOLVED_FRAGMENT 3 #define PKT_ALIAS_FOUND_HEADER_FRAGMENT 4 +#define PKT_ALIAS_ANTISPOOFED 5 #endif /*lint -restore */ diff -ur sbin-orig/natd/natd.c sbin/natd/natd.c --- sbin-orig/natd/natd.c Tue Jul 25 10:54:22 2000 +++ sbin/natd/natd.c Tue Jul 25 10:28:41 2000 @@ -534,7 +534,17 @@ /* * Outgoing packets. Do aliasing. */ - PacketAliasOut (packetBuf, IP_MAXPACKET); + status = PacketAliasOut (packetBuf, IP_MAXPACKET); + if (status == PKT_ALIAS_ANTISPOOFED) { + + if (verbose) + printf (" dropped.\n"); + + if (logDropped) + SyslogPacket (ip, LOG_WARNING, "denied"); + + return; + } } else { @@ -542,8 +552,9 @@ * Do aliasing. */ status = PacketAliasIn (packetBuf, IP_MAXPACKET); - if (status == PKT_ALIAS_IGNORED && - dropIgnoredIncoming) { + if (status == PKT_ALIAS_ANTISPOOFED || + (status == PKT_ALIAS_IGNORED && + dropIgnoredIncoming)) { if (verbose) printf (" dropped.\n"); @@ -911,6 +922,14 @@ "alias only unregistered addresses", "unregistered_only", "u" }, + + { PacketAliasOption, + PKT_ALIAS_ANTISPOOF, + YesNo, + "[yes|no]", + "stop spoofing via unregistered addresses", + "antispoof", + NULL }, { PacketAliasOption, PKT_ALIAS_LOG, --------------E46AA3F16434CABF8E806092-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397DC61F.18BF726E>