[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: User ppp: filtering spoofed packets?
> Given:
> An internal network that uses a private address space, say
> 192.168.0.0/24, occasionally connected by "ppp -nat" to an untrusted
> external network. Dial-up PPP, dynamic address assignment, NAT.
>
> Problem:
> How to use ppp(8)'s packet filter to discard spoofed packets coming
> in from the outside? Packets with a source address of 192.168.0.*
> that come in over the PPP link are "impossible" and should be
> discarded right away.
>
> (What's the generic term for filtering out inbound traffic that
> carries internal source addresses and outbound traffic that doesn't?
> I remember there is one, but I've forgotten the term itself, and
> I can't find a glossary of routing speak on the net.)
>
> Is this possible with ppp(8)'s packet filter? I tried
>
> set filter in 0 deny ! 0/0 MYADDR/32
> set filter in 39 permit 0/0 0/0
>
> but that chokes off all inbound traffic, which makes me suspect
> that the packet filter is only applied after NAT.
The filters in ppp must be sequential. The above rules drop off
at rule 1 and deny everything. Change the second line to ``set
filter in 1 permit 0 0'' and it should work ok.
However, I would have thought you actually mean
set filter in 0 deny 10.0.0.0/24 0
set filter in 1 permit 0 0
assuming you've got an internal network of 10s with a 24 bit mask.
Another interesting option is ``nat target'' if you want to block
people from outside from accessing your internal network directly -
a good safety precaution IMHO.
> --
> Christian "naddy" Weisgerber naddy@mips.inka.de
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !