Date: Mon, 12 Nov 2001 08:21:14 -0500 From: "Wade Majors" <wade@ezri.org> To: <security@freebsd.org> Subject: Filtering packets based on incoming address Message-ID: <000001c16b7c$eb2f0ad0$9700a8c0@ezri>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] When reading through http://www.sans.org/top20.htm the other day, I noticed G5. It talks about how packets can be "spoofed" to really target a machine on my network and not the gateway. I added these rules to my /etc/ipfw.rules file: # block spoofed packets going to private network add 00001 deny ip from any to 192.168.0.1/24 in recv fxp0 # block sppoofed packets going to cable modem add 00002 deny ip from any to 10.97.48.1 in recv fxp0 These are the only things before natd, which is rule 00050. In the few days I've had them in; it hasn't caught anything, so I'm going to assume this isn't breaking anything legitimate. The question is: is this the right way to check for this stuff, anyway? Should I even worry about this since my network using private IPs? -Wade [-- Attachment #2 --] <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">; <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 10"> <meta name=Originator content="Microsoft Word 10"> <link rel=File-List href="cid:filelist.xml@01C16B52.FE518450"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:UseFELayout/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:SimSun; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:\5B8B\4F53; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} @font-face {font-family:"\@SimSun"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:SimSun;} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'> <div class=Section1> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>When reading through <a href="http://www.sans.org/top20.htm">http://www.sans.org/top20.htm</a>; the other day, I noticed G5. It talks about how packets can be “spoofed” to really target a machine on my network and not the gateway.<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>I added these rules to my /etc/<span class=SpellE>ipfw.rules</span> file:<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'># <span class=GramE>block</span> spoofed packets going to private network<o:p></o:p></span></font></p> <p class=MsoNormal><span class=GramE><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>add</span></font></span><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> 00001 deny <span class=SpellE>ip</span> from any to 192.168.0.1/24 in <span class=SpellE>recv</span> fxp0<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'># <span class=GramE>block</span> <span class=SpellE>sppoofed</span> packets going to cable modem<o:p></o:p></span></font></p> <p class=MsoNormal><span class=GramE><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>add</span></font></span><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> 00002 deny <span class=SpellE>ip</span> from any to 10.97.48.1 in <span class=SpellE>recv</span> fxp0<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>These are the only things before <span class=SpellE>natd</span>, which is rule 00050.<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>In the few days I’ve had them in; it hasn’t caught anything, so I’m going to assume this isn’t breaking anything legitimate. The question is: is this the right way to check for this stuff, anyway? Should I even worry about this since my network using private <span class=SpellE>IPs</span>?<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>-Wade<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> </div> </body> </html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c16b7c$eb2f0ad0$9700a8c0>