tech-security: Re: ipfilter question / vulnerability?

Subject: Re: ipfilter question / vulnerability?
To: None <mouss@tfz.net>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 09/26/1999 16:28:32

  by redmail.netbsd.org with SMTP; 26 Sep 1999 20:29:57 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id QAA21676;
	Sun, 26 Sep 1999 16:28:32 -0400 (EDT)
Date: Sun, 26 Sep 1999 16:28:32 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: mouss@tfz.net
Cc: tech-security@netbsd.org
Subject: Re: ipfilter question / vulnerability?
Message-ID: <19990926162832.A441@acheron.middleboro.ma.us>
References: <19990924112653.A490@acheron.middleboro.ma.us> <99092410273400.13318@mogador.nettoll.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <99092410273400.13318@mogador.nettoll.com>

On Fri, Sep 24, 1999 at 10:08:18AM -0700, mouss@tfz.net wrote:

> On Fri, 24 Sep 1999, Mason Loring Bliss wrote:
> >While I can block source-routed packets
> > destined for 10.x.x.x, I can't figure out how to block packets that are
> > from outside the firewall but locally originated and that point to the ten
> > net.
> 
> What do you mean bye "from outside but locally originated" ?

The packets I'd want to reject are those that come in over my cable modem
from the local net. If any of my neighbors are secretly evil, they could
set a route to point 10.x packets to my box. Being that the GATEWAY option
is required to run ipfilter, these packets would pass through the firewall
with no problems, more or less. I'd like to be able to filter before NAT
gets the packets.

The way being able to block before NAT translates would help me is that I
have dynamic IP with my cable modem (mostly) so I can't guarantee that
my address will be anything in particular. Thus, I can't filter based on my
own address.

Actually, there is a way, but it doesn't seem to work for NetBSD as yet:

http://false.net/ipfilter/1998_10/0004.html

I guess I'm going to either figure out a way to hook into dhclient to run a
script to sed the new address in when it changes or I'll try to integrate the
OpenBSD changes to ipfilter to let me filter dynamically based on the current
address of a random interface.

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.