Shortcuts
Search Users Guide
Generally speaking, IP spoofing is a technique of generating IP packets with a source address that belongs to someone else. Spoofing creates a danger when hosts on the LAN permit access to their resources and services to trusted hosts by checking the source IP of the packets. Using spoofing, an intruder can fake the source address of his packets and make them look like they originated on the trusted hosts. The basic idea of anti-spoofing protection is to create a firewall rule assigned to the external interface of the firewall that examines source address of all packets crossing that interface coming from outside. If the address belongs to the internal network or the firewall itself, the packet is dropped.
Simple anti-spoofing rule looks like shown on Figure14.15. Unlike the rule in the previous example, anti-spoofing rule requires matching of the interface and direction. The idea is that packets that come from outside must not have source addresses that match internal network or the firewall itself. The only way to distinguish packets coming from outside from those coming from inside is to check which interface of the firewall they cross and in which direction. Here the rule matches interface eth0, which is external, and direction inbound.
Section5.2.2 explains how a firewall object and its interfaces can be created. Section5.2.5 has more details on the firewall's interfaces, their types, and other properties. Section7.2.4 explains the concept of direction.
Figure14.15.A Basic Anti-Spoofing Rule
Here are the iptables commands generated for this rule:
# Rule 0 (eth0)# # anti spoofing rule# $IPTABLES -N In_RULE_0$IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "$IPTABLES -A In_RULE_0 -j DROP
The iptables commands were placed in INPUT and FORWARD chains to match both packets that are headed for the firewall and through the firewall to hosts behind it. Rules match source address of the packets and then log and drop them. Firewall Builder generated iptables commands to match all addresses of the firewall (192.168.1.1, 192.0.2.1) and network behind it (192.168.1.0/24).
Let's see what gets generated for the same rule for PF:
# Tables: (1)table <tbl.r0.s> { 192.0.2.1 , 192.168.1.1 } # Rule 0 (en0)# anti spoofing rule# block in log quick on en0 inet from <tbl.r0.s> to any block in log quick on en0 inet from 192.168.1.0/24 to any # Here, the compiler uses tables to make generated PF code more compact. Table tbl.r0.s can be used in other rules wherever we need to operate with all addresses of the firewall.
Here is the same rule, compiled for PIX:
! Rule 0 (Ethernet1/0)! anti-spoofing rule! access-list outside_acl_in remark 0 (Ethernet1/0)access-list outside_acl_in remark anti-spoofing ruleaccess-list outside_acl_in deny ip host 192.0.2.1 any access-list outside_acl_in deny ip host 192.168.2.1 any access-list outside_acl_in deny ip host 192.168.1.1 any access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 anyaccess-group outside_acl_in in interface outside
