Hi Kurt I copied your ipchains firewall from SecurityPortal. I ve got a question about Anti Spoofing. You've done it like this: # ANTI-SPOOFING ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0.0.0/0 First question: Do spoofers use IP Adresses only of private IP ranges? Second question: Where is the difference to : echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter (frankly I don't know exactly what this does, I've read this line in suse-security mailinglist one month ago) Thank you Philipp
Hi Kurt
I copied your ipchains firewall from SecurityPortal. I ve got a question about Anti Spoofing. You've done it like this: # ANTI-SPOOFING ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0.0.0/0
First question: Do spoofers use IP Adresses only of private IP ranges?
No. But these IP's are non routed internal networks. You should never ever see them coming in over the Internet, hence blocking them is a good idea. Attackers can spoof from any address, some of which you can safely block.
Second question:
Where is the difference to : echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter
That prevents things like: network10.0.0.*-10.0.0.1_eth0_server_eth1_192.168.0.1-network192.168.0.* thus if packets labled as from 10.0.0.* come in on eth1 the server goes "hey......... that ain't right! 10.0.0.* is on eth0!". If EVERY machine and router on the Internet did this packet spoofing would be a non issue. Of course that'll never happen.
(frankly I don't know exactly what this does, I've read this line in suse-security mailinglist one month ago)
Controlling access as much as possible is the idea. For example if you don't need to talk to university networks you can firewall them, which blocks a lot of attackers (univeersity networks are a favorite place to attack from).
Thank you Philipp
You may applaud at will. Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
* Philipp Snizek wrote on Wed, Sep 27, 2000 at 09:20 +0200:
First question: Do spoofers use IP Adresses only of private IP ranges?
Of course not. It seems they like to use addresses of large sites like yahoo or gmx too. The problem with private IP space is, that usually a firewall allowes traffic from private IPs, if not configured very well.
echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter
AFAIK: The kernel drops traffic which should have come in through interface A but was received by interface B. i.e. if you have a route to 192.168.0.0/24 on eth0 and you receive a packet from 192.168.0.1 in eth1 the kernel drops that packet, since it should have come to eth0 not eth1. I think this works for all routes that are known to the local system (list, please correct me if I'm wrong!) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Kurt Seifried
-
Philipp Snizek
-
Steffen Dettmer