14.2.6. Anti-spoofing rules

Generally speaking, IP spoofing is a technique of generating IP packets with a source address that belongs to someone else. Spoofing creates a danger when hosts on the LAN permit access to their resources and services to trusted hosts by checking the source IP of the packets. Using spoofing, an intruder can fake the source address of his packets and make them look like they originated on the trusted hosts. The basic idea of anti-spoofing protection is to create a firewall rule assigned to the external interface of the firewall that examines source address of all packets crossing that interface coming from outside. If the address belongs to the internal network or the firewall itself, the packet is dropped.

Simple anti-spoofing rule looks like shown on Figure 14.15. Unlike the rule in the previous example, anti-spoofing rule requires matching of the interface and direction. The idea is that packets that come from outside must not have source addresses that match internal network or the firewall itself. The only way to distinguish packets coming from outside from those coming from inside is to check which interface of the firewall they cross and in which direction. Here the rule matches interface eth0, which is external, and direction inbound.

Section 5.2.2 explains how a firewall object and its interfaces can be created. Section 5.2.5 has more details on the firewall's interfaces, their types, and other properties. Section 7.2.4 explains the concept of direction.

Figure 14.15. A Basic Anti-Spoofing Rule

A Basic Anti-Spoofing Rule

Here are the iptables commands generated for this rule:

# Rule 0 (eth0)
# 
# anti spoofing rule
# 
$IPTABLES -N In_RULE_0
$IPTABLES -A INPUT  -i eth0   -s 192.0.2.1   -j In_RULE_0 
$IPTABLES -A INPUT  -i eth0   -s 192.168.1.1   -j In_RULE_0 
$IPTABLES -A INPUT  -i eth0   -s 192.168.1.0/24   -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0   -s 192.0.2.1   -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0   -s 192.168.1.1   -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0   -s 192.168.1.0/24   -j In_RULE_0 
$IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0  -j DROP 
      

The iptables commands were placed in INPUT and FORWARD chains to match both packets that are headed for the firewall and through the firewall to hosts behind it. Rules match source address of the packets and then log and drop them. Firewall Builder generated iptables commands to match all addresses of the firewall (192.168.1.1, 192.0.2.1) and network behind it (192.168.1.0/24).

Let's see what gets generated for the same rule for PF:

# Tables: (1)
table <tbl.r0.s> { 192.0.2.1 , 192.168.1.1 } 

# Rule  0 (en0)
# anti spoofing rule
# 
block in   log  quick on en0 inet  from <tbl.r0.s>  to any 
block in   log  quick on en0 inet  from 192.168.1.0/24  to any 
# 
      

Here, the compiler uses tables to make generated PF code more compact. Table tbl.r0.s can be used in other rules wherever we need to operate with all addresses of the firewall.

Here is the same rule, compiled for PIX:

! Rule  0 (Ethernet1/0)
! anti-spoofing rule
! 
access-list outside_acl_in  remark 0 (Ethernet1/0)
access-list outside_acl_in  remark anti-spoofing rule
access-list outside_acl_in deny   ip host 192.0.2.1 any 
access-list outside_acl_in deny   ip host 192.168.2.1 any 
access-list outside_acl_in deny   ip host 192.168.1.1 any 
access-list outside_acl_in deny   ip 192.168.1.0 255.255.255.0 any

access-group outside_acl_in in interface outside

      
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.