diff options
| author | andre <andre@FreeBSD.org> | 2004-04-23 14:28:38 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2004-04-23 14:28:38 +0000 |
| commit | d4f49f008f33c4f8764a222f33a2c7469a2bed19 (patch) | |
| tree | 409e5a1193422d7cff37e0eac1786413b8e0b686 /sbin/ipfw | |
| parent | e8723e5528fcaf8fa35c8432a0f4aedfe76cb723 (diff) | |
| download | FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.zip FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.tar.gz | |
Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table. The
default route is ignored because it would match everything and
render the check pointless.
This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.
Example:
ipfw add 1000 deny ip from any to any not versrcreach
also known in Cisco-speak as:
ip verify unicast source reachable-via any
Reviewed by: luigi
Diffstat (limited to 'sbin/ipfw')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 18 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.c | 12 |
2 files changed, 28 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 910c7af..d7d0f0a 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1230,7 +1230,23 @@ the Cisco IOS command: .Pp .Dl ip verify unicast reverse-path .Pp -This option can be used to make anti-spoofing rules. +This option can be used to make anti-spoofing rules to reject all +packets with source addresses not from this interface. +.It Cm versrcreach +For incoming packets, +a routing table lookup is done on the packet's source address. +If a route to the source address exists, but not the default route, +the packet matches. +Otherwise the packet does not match. +All outgoing packets match. +.Pp +The name and functionality of the option is intentionally similar to +the Cisco IOS command: +.Pp +.Dl ip verify unicast source reachable-via any +.Pp +This option can be used to make anti-spoofing rules to reject all +packets whose source address is unreachable. .El .Sh SETS OF RULES Each rule belongs to one of 32 different diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 9063b53..b0c28f6 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -226,6 +226,7 @@ enum tokens { TOK_MAC, TOK_MACTYPE, TOK_VERREVPATH, + TOK_VERSRCREACH, TOK_IPSEC, TOK_COMMENT, @@ -338,6 +339,7 @@ struct _s_x rule_options[] = { { "mac", TOK_MAC }, { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, + { "versrcreach", TOK_VERSRCREACH }, { "ipsec", TOK_IPSEC }, { "//", TOK_COMMENT }, @@ -1268,6 +1270,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) printf(" verrevpath"); break; + case O_VERSRCREACH: + printf(" versrcreach"); + break; + case O_IPSEC: printf(" ipsec"); break; @@ -1874,7 +1880,7 @@ help(void) " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" verrevpath\n" +" verrevpath | versrcreach\n" ); exit(0); } @@ -3400,6 +3406,10 @@ read_options: fill_cmd(cmd, O_VERREVPATH, 0, 0); break; + case TOK_VERSRCREACH: + fill_cmd(cmd, O_VERSRCREACH, 0, 0); + break; + case TOK_IPSEC: fill_cmd(cmd, O_IPSEC, 0, 0); break; |
