From owner-freebsd-isp Sun Apr 14 19: 5:44 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mars-gw.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 018EF37B419; Sun, 14 Apr 2002 19:05:34 -0700 (PDT) Received: (from root@localhost) by mars-gw.morning.ru (8.11.5/8.11.5) id g3F252I26454; Mon, 15 Apr 2002 10:05:02 +0800 (KRAST) Date: Mon, 15 Apr 2002 10:05:01 +0800 From: Igor M Podlesny To: Richard A Steenbergen Cc: Luigi Rizzo , Igor M Podlesny , net@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: patch -- An ingress filter (RFC2827) Message-ID: <20020415100501.B93954@mars-gw.morning.ru> References: <20020414180447.A93954@mars-gw.morning.ru> <20020414142527.B18991@iguana.icir.org> <20020414225243.GW523@overlord.e-gerbil.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020414225243.GW523@overlord.e-gerbil.net>; from ras@e-gerbil.net on Sun, Apr 14, 2002 at 06:52:43PM -0400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Apr 14, 2002 at 06:52:43PM -0400, Richard A Steenbergen wrote: > On Sun, Apr 14, 2002 at 02:25:27PM -0700, Luigi Rizzo wrote: > > > > Hi, > > this is more a comment on rfc2827 than on the patch (which seems to do > > basically what is in the RFC). > > This kind of filtering gives very little protection. For single-homed > > systems with a default route, basically the only packets that it > > can deny are those with a 127/8 source address on the wire. > > And even the case of multi-homed routers, in most cases it will likely > > protect only from attacks coming from the inside of your network. > > I do completely agree with Richard A Steenbergen who's saying: > The point of RFC2827 isn't to protect you from an attack by spoofing > source addresses it is to prevent you (and/or your downstream customers) > from being the source of address spoofing attacks against others. Of > course it was written from the router point of view, "ingress" refering to > the traffic you take in from your customers. > > Finally, i agree that the place for this code is within ip_fw.c, > > definitely not ip_input.c yeah, this'd be a better choice. > On a system level, this means preventing your server from being > compromised and used to attack others (or at least attack others with > spoofed source addresses). This would probably be most closely associated > with a securelevel, which drops packets sent through raw sockets with a > source address that you don't have on your system. Unfortunately, there is > nothing preventing an attacker from adding fake aliases to an interface > and then spoofing from those IPs, but it would certainly clamp down on > random source attacks. > Of course, you would have to adjust securelevel to prevent interface and > routing changes as well. But securelevel sucks, why not get rid of it. It > would be much better to have the ability to cut off specific capabilities > for the entire system (some simple sysctl's), without being forced into > setting things you don't want to when you only have a few "modes" of > operation. this refers to a host(router)-itself protection, IMHO... > After you do that, this filtering would actually be a fairly > useful feature. Great, any specific ideas? :) > -- > Richard A Steenbergen http://www.e-gerbil.net/ras -- Igor M Podlesny a.k.a. Poige http://WwW.MorninG.RU/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message