Date: Sun, 14 Apr 2002 14:25:27 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Igor M Podlesny <poige@morning.ru> Cc: net@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: patch -- An ingress filter (RFC2827) Message-ID: <20020414142527.B18991@iguana.icir.org> In-Reply-To: <20020414180447.A93954@mars-gw.morning.ru> References: <20020414180447.A93954@mars-gw.morning.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, this is more a comment on rfc2827 than on the patch (which seems to do basically what is in the RFC). This kind of filtering gives very little protection. For single-homed systems with a default route, basically the only packets that it can deny are those with a 127/8 source address on the wire. And even the case of multi-homed routers, in most cases it will likely protect only from attacks coming from the inside of your network. Finally, i agree that the place for this code is within ip_fw.c, definitely not ip_input.c cheers luigi > > Hello! > > I'd like to know your opinion about this patch > > http://www.morning.ru/~poige/patchzone/ingressfiltering.patch > > which is mine attempt to implement an ingress filter being inspired by > RFC2827 "Network Ingress Filtering: Defeating Denial of Service Attacks > which employ IP Source Address Spoofing". > > (http://www.ietf.org/rfc/rfc2827.txt) > > It should be mentioned IMHO that this code makes another one in ip_input.c a > kind of redundant -- I mean code checking/blocking the 127/8 network "on > wire". BTW, I suggest if not removing it completely then adding (sys)logging > into, -- 127/8-spoofing certainly should be logged. :) > > Another thing to pay an attention to: I deem it'd be better if a such filter > was built-in into ip_fw.c, allowing such syntax for ipfw(8): > > deny log ip from any to any in via fxp0 spoofed > > But AFAIS in ip_fw.h: > > #define IP_FW_F_IN 0x00000100 > ... > #define IP_FW_F_DME 0x40000000 /* destination = me */ > > #define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ > > and u_int32_t fw_flg; > > there is no free space for any additional flags... > > So, I was a bit unsure whether should I expand fw_flg to u_int64_t, and do > any other extensions. For now I decided just to wrote something like a > draft, test it (it seems to be working ;), and asking you, people, for your > comments/ideas on it. > > P.S. A bit more info on this patch is at http://www.morning.ru/~poige/patchzone/ > > -- > Igor M Podlesny a.k.a. Poige > http://WwW.MorninG.RU/~poige > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020414142527.B18991>