Date: Mon, 15 Apr 2002 10:05:01 +0800 From: Igor M Podlesny <poige@morning.ru> To: Richard A Steenbergen <ras@e-gerbil.net> Cc: Luigi Rizzo <rizzo@icir.org>, Igor M Podlesny <poige@morning.ru>, net@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: patch -- An ingress filter (RFC2827) Message-ID: <20020415100501.B93954@mars-gw.morning.ru> In-Reply-To: <20020414225243.GW523@overlord.e-gerbil.net>; from ras@e-gerbil.net on Sun, Apr 14, 2002 at 06:52:43PM -0400 References: <20020414180447.A93954@mars-gw.morning.ru> <20020414142527.B18991@iguana.icir.org> <20020414225243.GW523@overlord.e-gerbil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 14, 2002 at 06:52:43PM -0400, Richard A Steenbergen wrote: > On Sun, Apr 14, 2002 at 02:25:27PM -0700, Luigi Rizzo wrote: > > > > Hi, > > this is more a comment on rfc2827 than on the patch (which seems to do > > basically what is in the RFC). > > This kind of filtering gives very little protection. For single-homed > > systems with a default route, basically the only packets that it > > can deny are those with a 127/8 source address on the wire. > > And even the case of multi-homed routers, in most cases it will likely > > protect only from attacks coming from the inside of your network. > > I do completely agree with Richard A Steenbergen who's saying: > The point of RFC2827 isn't to protect you from an attack by spoofing > source addresses it is to prevent you (and/or your downstream customers) > from being the source of address spoofing attacks against others. Of > course it was written from the router point of view, "ingress" refering to > the traffic you take in from your customers. > > Finally, i agree that the place for this code is within ip_fw.c, > > definitely not ip_input.c yeah, this'd be a better choice. > On a system level, this means preventing your server from being > compromised and used to attack others (or at least attack others with > spoofed source addresses). This would probably be most closely associated > with a securelevel, which drops packets sent through raw sockets with a > source address that you don't have on your system. Unfortunately, there is > nothing preventing an attacker from adding fake aliases to an interface > and then spoofing from those IPs, but it would certainly clamp down on > random source attacks. > Of course, you would have to adjust securelevel to prevent interface and > routing changes as well. But securelevel sucks, why not get rid of it. It > would be much better to have the ability to cut off specific capabilities > for the entire system (some simple sysctl's), without being forced into > setting things you don't want to when you only have a few "modes" of > operation. this refers to a host(router)-itself protection, IMHO... > After you do that, this filtering would actually be a fairly > useful feature. Great, any specific ideas? :) > -- > Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras -- Igor M Podlesny a.k.a. Poige http://WwW.MorninG.RU/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020415100501.B93954>