Date: Mon, 10 Apr 2023 11:30:18 +0100 From: Tom Byrne <tombyrne223@gmail.com> To: louise9841@gmail.com Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Comparable Technologies Message-ID: <CAJQqbSxJw98SVvBbSMRkAdAwhz6FduET8YBx2NVoZbMd-kShmQ@mail.gmail.com> In-Reply-To: <E380EBF8-5C8B-4CEB-97B5-9C0A278E6226@gmail.com> References: <E380EBF8-5C8B-4CEB-97B5-9C0A278E6226@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Regarding your first question on reverse path filtering, have a look at the 'urpf-failed' keyword which you can use in pf.conf as a source address. From the manual page: urpf-failed Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. I think this is possibly what you want, so a 'block quick' rule higher up in your ruleset using that keyword can be useful. I'm not aware of anything freebsd-specific to protect against DHCP starvation, although if your clients and DHCP server are on different subnets with your pf filter in between, you could filter tcp/udp 67/68 to prevent connections to rogue DHCP servers. You could combine this with port security at L2 on your switches, which would prevent attachment of unauthorised hosts on your client subnet, as well as prevent the MAC spoofing which is required for DHCP starvation attacks to work. Not aware of anything offhand to do DHCP snooping on FreeBSD, but I'm sure there's probably something out there. Again though, this might be a feature that's better enabled on your switches instead. Re: the last one, I'm not entirely sure how you're doing your queuing, but the rules could be set to apply to any source address in a subnet or to certain ports/protocols, no matter what the specific address. -- Tom On Sun, 9 Apr 2023 at 11:25, <louise9841@gmail.com> wrote: > > Hello, I am new to FreeBSD in terms of using it as a home router/firewall= . Im trying to implement the FreeBSD equivalent or similar way of doing thi= ngs like I did on my Linux Router. Are there are equivalent ways/programs f= or the following: > > > 1. Reverse Path Filter (Like on Linux). > > 2. Protection against DHCP Starvation attacks. > > 3. DHCP Snooping > > 4. Reply-Only ARP system with features like(automatically adding arps for= leases) that keep people from setting a static ip on the network and bypas= sing the queueing done by pf. > > > P.S.: If there are any ways of doing these options above can you point me= to the right documentation as I have tried to research but couldn=E2=80=99= t find any thing on these subjects listed above. > > Thank you, > Lou
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJQqbSxJw98SVvBbSMRkAdAwhz6FduET8YBx2NVoZbMd-kShmQ>