tech-security: Re: ipfilter question / vulnerability?

Subject: Re: ipfilter question / vulnerability?
To: Simon J. Gerraty <sjg@quick.com.au>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 09/26/1999 23:40:31
  by redmail.netbsd.org with SMTP; 27 Sep 1999 03:40:56 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id XAA00968;
	Sun, 26 Sep 1999 23:40:31 -0400 (EDT)
Date: Sun, 26 Sep 1999 23:40:31 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: "Simon J. Gerraty" <sjg@quick.com.au>
Cc: tech-security@netbsd.org
Subject: Re: ipfilter question / vulnerability?
Message-ID: <19990926234031.A477@acheron.middleboro.ma.us>
References: <19990924112653.A490@acheron.middleboro.ma.us> <99092410273400.13318@mogador.nettoll.com> <19990926162832.A441@acheron.middleboro.ma.us> <199909270100.LAA26546@zen.quick.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199909270100.LAA26546@zen.quick.com.au>

On Mon, Sep 27, 1999 at 11:00:30AM +1000, Simon J. Gerraty wrote:

> I'm _not_ using NAT, but I'm not use it should matter.
> I have the following in my ipf.cfg:

Hm... I assume that you've got static IP, then?

The solution that I've used is to block everything and then only let in
packets to specific ports on my outermost machine. Since there's no built-
in way to filter before NAT, that means I couldn't have done, for example,

block in log quick on ep0 from any to 10.0.0.0/8

because it would have processed *after* NAT, thus dropping all legitimate
NAT packets.

My default deny strategy drops stuff on specific ports, but since I can't
count on having the same IP address, I was doing stuff like

pass in quick proto tcp from any to any port = 80

The problem with this was that local hosts could exploit this by routing
packets to me without having to use source routing. This means that packets
on a limited number of ports could be addressed to any inside machine on
my network.

The only way to prevent this, short of modifying ipfilter (which, incidentally,
OpenBSD seems to have done such that you can specify an interface rather than
an address), was to use actual numbers and to only pass packets destined for
the correct machine. Since I'm using dhcp, I could do this using dhclient-
enter-hooks, as was pointed out to me earlier today:

if [ "$new_ip_address" != "" ]; then
  sed "s/NEW_IP_ADDRESS/$new_ip_address/g" /etc/ipf.conf.src > /etc/ipf.conf
  ipf -y -Fa -f /etc/ipf.conf
fi

I don't believe this sort of option exists for dynamic ppp users... Maybe
ipfilter will have the dynamic interface option integrated sometime.

I'll do a faq entry for this...

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.