An anti-spoofing rule must match all addresses of the firewall to leave no holes. However it is difficult to do if one interface of the firewall gets its IP address dynamically via the DHCP or PPP protocol. This address is unknown at the compile time and proper configuration cannot be generated by just including it. Some firewall platforms have syntax in their configuration language that provides a way to match an address of an interface at run-time, but other platforms do not have anything like this. Let's see how Firewall Builder works around this problem.
In this test, I use a variation of the same firewall object where external interface "eth0" is configured as "dynamic". The anti-spoofing rule looks exactly like the rule in the previous example and matches the same external interface "eth0", direction "inbound":
The generated iptables script looks like this:
getaddr eth0 i_eth0 # Rule 0 (eth0) # # anti spoofing rule # $IPTABLES -N In_RULE_0 test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0 test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP
The script defines a shell function "getaddr" at the beginning. This function uses "ip addr show" command to determine the actual address of the interface at the time when script is running and assigns the address to the shell variable i_eth0. The iptables commands then use this variable to build rules matching address of this interface. Otherwise, generated rules are the same as in the previous example.
Here is what is generated for PF:
table <tbl.r0.d> { en0 , 192.168.1.1 } # Rule 0 (en0) # anti spoofing rule # block in log quick on en0 inet from <tbl.r0.d> to any block in log quick on en0 inet from 192.168.1.0/24 to any
In PF, one can place interface name ("en0") in the table and PF will use its address at the execution time.
Unfortunately there is no workaround for this problem for PIX.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.