Re: IP-Spoofing unter FreeBSD

From: Oliver Fromme <olli(at)secnetix.de>
Date: Tue, 25 Mar 2003 18:51:35 +0100 (CET)



Patrick Hess <patrick_hess(at)t-online.de> wrote:


 > [...]


 > Wenn das nicht mit der IPFW geht, welche andere Software bräuchte


 > ich dann dafür? Was habt ihr so im Einsatz, was könnt ihr empfehlen?



Du mußt dem IPFW schon sagen, was er tun soll; er kann ja


keine Gedanken lesen.



Wenn Du unbedingt IPFW verwenden möchtest (ich tendiere in


letzter Zeit eher immer mehr in Richtung ipf), dann könnte


ein Standardsatz Rules für einen PPP-Router so beginnen (in


diesem Beispiel ist das interne Netz 10.0.0.0/8 an fxp0):



#   Open lo0 for anything, and block 127.* everywhere else.


add pass ip from any to any via lo0


add deny ip from any to 127.0.0.0/8



#   Packets on the inside from / to 10.* IPs are accepted.


#   We need a special rule for BOOTP (broadcasts with source 0).


#   All other packets from the inside are discarded.


add pass ip from 10.0.0.0/8 to any in recv fxp0


add pass ip from any to 10.0.0.0/8 out xmit fxp0


add pass udp from 0.0.0.0 0,68 to 255.255.255.255 67 in recv fxp0


add deny ip from any to any in via fxp0



#   Stop RFC1918 nets on the outside interface.


add deny all from 10.0.0.0/8 to any recv tun0


add deny all from any to 10.0.0.0/8 out xmit tun0


add deny all from 172.16.0.0/12 to any via tun0


add deny all from any to 172.16.0.0/12 via tun0


add deny all from 192.168.0.0/16 to any via tun0


add deny all from any to 192.168.0.0/16 via tun0



# Stop draft-manning-dsua-01.txt nets on the outside interface.


add deny all from 0.0.0.0/8 to any via tun0


add deny all from any to 0.0.0.0/8 via tun0


add deny all from 169.254.0.0/16 to any via tun0


add deny all from any to 169.254.0.0/16 via tun0


add deny all from 192.0.2.0/24 to any via tun0


add deny all from any to 192.0.2.0/24 via tun0


add deny all from 224.0.0.0/4 to any via tun0


add deny all from any to 224.0.0.0/4 via tun0


add deny all from 240.0.0.0/4 to any via tun0


add deny all from any to 240.0.0.0/4 via tun0



Du mußt das natürlich genau angucken, Deinen Bedürfnissen


anpassen und entsprechend erweitern.  Obiges sind _nur_


Anti-Spoofing-Rules.  Für DNS und alle anderen Protokolle,


die Du brauchst, mußt Du weitere Rules hinzufügen.



Davon abgesehen verhindern diese Rules natürlich nicht


jede Art von Spoofing, sondern nur bestimmte Spezialfälle.



Gruß


   Olli



-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet.  Here's what I worry about.  I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
       -- Mike Godwin
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message


Received on Tue 25 Mar 2003 - 18:51:39 CET













search this site