14.2.7. Anti-Spoofing Rules for a Firewall with a Dynamic Address

An anti-spoofing rule must match all addresses of the firewall to leave no holes. However it is difficult to do if one interface of the firewall gets its IP address dynamically via the DHCP or PPP protocol. This address is unknown at the compile time and proper configuration cannot be generated by just including it. Some firewall platforms have syntax in their configuration language that provides a way to match an address of an interface at run-time, but other platforms do not have anything like this. Let's see how Firewall Builder works around this problem.

In this test, I use a variation of the same firewall object where external interface "eth0" is configured as "dynamic". The anti-spoofing rule looks exactly like the rule in the previous example and matches the same external interface "eth0", direction "inbound":

Figure 14.16. Basic Anti-Spoofing Rule

Basic Anti-Spoofing Rule

The generated iptables script looks like this:

getaddr eth0  i_eth0


# Rule 0 (eth0)
# 
# anti spoofing rule
# 
$IPTABLES -N In_RULE_0
test -n "$i_eth0" && $IPTABLES -A INPUT  -i eth0   -s $i_eth0   -j In_RULE_0 
$IPTABLES -A INPUT  -i eth0   -s 192.168.1.1   -j In_RULE_0 
$IPTABLES -A INPUT  -i eth0   -s 192.168.1.0/24   -j In_RULE_0 
test -n "$i_eth0" && $IPTABLES -A FORWARD  -i eth0   -s $i_eth0   -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0   -s 192.168.1.1   -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0   -s 192.168.1.0/24   -j In_RULE_0 
$IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0  -j DROP 
      

The script defines a shell function "getaddr" at the beginning. This function uses "ip addr show" command to determine the actual address of the interface at the time when script is running and assigns the address to the shell variable i_eth0. The iptables commands then use this variable to build rules matching address of this interface. Otherwise, generated rules are the same as in the previous example.

Here is what is generated for PF:

table <tbl.r0.d> { en0 , 192.168.1.1 } 

# Rule  0 (en0)
# anti spoofing rule
# 
block in   log  quick on en0 inet  from <tbl.r0.d>  to any 
block in   log  quick on en0 inet  from 192.168.1.0/24  to any 
      

In PF, one can place interface name ("en0") in the table and PF will use its address at the execution time.

Unfortunately there is no workaround for this problem for PIX.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.