Subject: Re: ipfilter question / vulnerability?
To: Mason Loring Bliss <>
From: R. C. Dowdeswell <>
List: tech-security
Date: 09/27/1999 01:23:25
  by with SMTP; 27 Sep 1999 08:23:37 -0000
	by (VMailer) with ESMTP
	id B75341B17; Mon, 27 Sep 1999 01:23:25 -0700 (PDT)
To: Mason Loring Bliss <>
Subject: Re: ipfilter question / vulnerability? 
In-reply-to: Your message of "Sun, 26 Sep 1999 23:40:31 EDT."
Organization: The Fall of Imrryr
Reply-To: "R. C. Dowdeswell" <>
Date: Mon, 27 Sep 1999 01:23:25 -0700
From: "R. C. Dowdeswell" <>
Message-Id: <>

On 938403631 seconds since the Beginning of the UNIX epoch
Mason Loring Bliss wrote:
>On Mon, Sep 27, 1999 at 11:00:30AM +1000, Simon J. Gerraty wrote:
>> I'm _not_ using NAT, but I'm not use it should matter.
>> I have the following in my ipf.cfg:
>Hm... I assume that you've got static IP, then?
>The solution that I've used is to block everything and then only let in
>packets to specific ports on my outermost machine. Since there's no built-
>in way to filter before NAT, that means I couldn't have done, for example,
>block in log quick on ep0 from any to
>because it would have processed *after* NAT, thus dropping all legitimate
>NAT packets.

You can still have a block rule as above using keep state as follows:

Assume ep0 is your external iface, ep1 is internal.

pass in on ep1 proto tcp all keep state
pass in on ep1 proto udp all keep state
block in log quick on ep0 from any to

This allows your internal NAT'ed machines to access the net as keep
state rules short circuit your normal filter rules. If you need
external access to your internal machines, you should set up ipnat
rdr rules with your external interface to route them, anyway.

You should probably add the natural bits of spoof prevention:

block in log quick on ep0 from to any
block in log quick on ep0 from to any
... and so on...

>The only way to prevent this, short of modifying ipfilter (which, incidentally
>OpenBSD seems to have done such that you can specify an interface rather than
>an address), was to use actual numbers and to only pass packets destined for
>the correct machine. Since I'm using dhcp, I could do this using dhclient-
>enter-hooks, as was pointed out to me earlier today:
>if [ "$new_ip_address" != "" ]; then
>  sed "s/NEW_IP_ADDRESS/$new_ip_address/g" /etc/ipf.conf.src > /etc/ipf.conf
>  ipf -y -Fa -f /etc/ipf.conf
>I don't believe this sort of option exists for dynamic ppp users... Maybe
>ipfilter will have the dynamic interface option integrated sometime.

Actually pppd calls /etc/ppp/ip-up when a connection is formed,
and /etc/ppp/ip-down when it is dropped.  This is good enough to
change a few packet filter rules on the fly.

>I'll do a faq entry for this...
>    Mason Loring Bliss  They also surf who
>awake ? sleep : dream;  only stand on waves.

 == Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/  ==
 == The Unofficial NetBSD Web Pages        http://www.Imrryr.ORG/NetBSD/  ==
 == The NetBSD Project                            http://www.NetBSD.ORG/  ==