diff options
author | andre <andre@FreeBSD.org> | 2004-08-09 16:12:10 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2004-08-09 16:12:10 +0000 |
commit | 649b4336f4c3f3c74176cbaa17d1a54288018ba7 (patch) | |
tree | 27711afab76e2f06f811864d8a12773ee41b9de3 /sbin/ipfw | |
parent | 7f0c7f1817c6d5615439d9cc6ca22f49f538c591 (diff) | |
download | FreeBSD-src-649b4336f4c3f3c74176cbaa17d1a54288018ba7.zip FreeBSD-src-649b4336f4c3f3c74176cbaa17d1a54288018ba7.tar.gz |
New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
belongs to a directly connected network. If the network is directly
connected, then the interface the packet came on in is compared to
the interface the network is connected to. When incoming interface
and directly connected interface are not the same, the packet does
not match.
Usage example:
ipfw add deny ip from any to any not antispoof in
Manpage education by: ru
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 40 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 12 |
2 files changed, 49 insertions, 3 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index e985fa9..e01ac72 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 9, 2004 +.Dd August 9, 2004 .Dt IPFW 8 .Os .Sh NAME @@ -1264,12 +1264,14 @@ the Cisco IOS command: .Pp This option can be used to make anti-spoofing rules to reject all packets with source addresses not from this interface. +See also the option +.Cm antispoof . .It Cm versrcreach For incoming packets, a routing table lookup is done on the packet's source address. If a route to the source address exists, but not the default route or a blackhole/reject route, the packet matches. -Otherwise the packet does not match. +Otherwise, the packet does not match. All outgoing packets match. .Pp The name and functionality of the option is intentionally similar to @@ -1279,6 +1281,23 @@ the Cisco IOS command: .Pp This option can be used to make anti-spoofing rules to reject all packets whose source address is unreachable. +.It Cm antispoof +For incoming packets, the packet's source address is checked if it +belongs to a directly connected network. +If the network is directly connected, then the interface the packet +came on in is compared to the interface the network is connected to. +When incoming interface and directly connected interface are not the +same, the packet does not match. +Otherwise, the packet does match. +All outgoing packets match. +.Pp +This option can be used to make anti-spoofing rules to reject all +packets that pretend to be from a directly connected network but do +not come in through that interface. +This option is similar to but more restricted than +.Cm verrevpath +because it engages only on packets with source addresses of directly +connected networks instead of all source addresses. .El .Sh LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, @@ -2055,6 +2074,23 @@ system on the wrong interface. For example, a packet with a source address belonging to a host on a protected internal network would be dropped if it tried to enter the system from an external interface. +.Pp +The +.Cm antispoof +option could be used to do similar but more restricted anti-spoofing +by adding the following to the top of a ruleset: +.Pp +.Dl "ipfw add deny ip from any to any not antispoof in" +.Pp +This rule drops all incoming packets that appear to be coming from another +directly connected system but on the wrong interface. +For example, a packet with a source address of +.Li 192.168.0.0/24 +, configured on +.Li fxp0 +, but coming in on +.Li fxp1 +would be dropped. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index cf45a50..1030e39 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -232,6 +232,7 @@ enum tokens { TOK_MACTYPE, TOK_VERREVPATH, TOK_VERSRCREACH, + TOK_ANTISPOOF, TOK_IPSEC, TOK_COMMENT, @@ -345,6 +346,7 @@ struct _s_x rule_options[] = { { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, { "versrcreach", TOK_VERSRCREACH }, + { "antispoof", TOK_ANTISPOOF }, { "ipsec", TOK_IPSEC }, { "//", TOK_COMMENT }, @@ -1290,6 +1292,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) printf(" versrcreach"); break; + case O_ANTISPOOF: + printf(" antispoof"); + break; + case O_IPSEC: printf(" ipsec"); break; @@ -1897,7 +1903,7 @@ help(void) " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" verrevpath | versrcreach\n" +" verrevpath | versrcreach | antispoof\n" ); exit(0); } @@ -3439,6 +3445,10 @@ read_options: fill_cmd(cmd, O_VERSRCREACH, 0, 0); break; + case TOK_ANTISPOOF: + fill_cmd(cmd, O_ANTISPOOF, 0, 0); + break; + case TOK_IPSEC: fill_cmd(cmd, O_IPSEC, 0, 0); break; |