PF anti spoofing and non-routable martians

G

giant

Hi :)

I have a single laptop with pf and a modem-router. There are not external interface on the modem but I know the IP address.

Here's a few lines of my pf.conf file:
Code: 
int_if = "trunk0"
def_gateway = "IP address"

table ‹martians› { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, \
                        127.0.0.0/8, 127.0.53.53, 169.254.0.0/16, \
                        172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
                        192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
                        203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, \
                        255.255.255.255/32 }

# enable spoofing protection
antispoof quick for { lo0 $int_if $def_gateway } inet

# block non-routable ipv4 addresses
block in $log_block quick on $def_gateway from ‹martians› to any
block out $log_block quick on $def_gateway from any to ‹martians›
I want to know if these few rules are correct ?

Does the anti-spoofing protection and the non-routable ipv4 addresses also apply to router IP address ?

Thanks a lot :)
 
The rules block you from accessing the modem/router itself. You also won't be able to connect to any other machine on the LAN. LANs typically use RFC 1918 addresses (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).

And you can't firewall "remotely", your LAN never sees the external IP address because you're behind NAT.
 
Thanks for these informations ;)

I modified the martians table. I do test after but logically, it will work.

Code: 
table ‹martians› { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, \
                   127.0.53.53, 169.254.0.0/16, 192.0.0.0/24,\
                   192.0.2.0/24, 198.18.0.0/15, 198.51.100.0/24, \
                   203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, \
                   255.255.255.255/32 }
Now for this rule:
Code: 
# enable spoofing protection
antispoof quick for { lo0 $int_if $def_gateway } inet
I leave $def_gateway or it's not necessary.

and for this one:
Code: 
# block non-routable ipv4 addresses
block in $log_block quick on $def_gateway from ‹martians› to any
block out $log_block quick on $def_gateway from any to ‹martians›
I leave $def_gateway or I must also add $int_if?

Thanks again.
 
I believe you're trying to put the horse behind the cart. Spoofed packets should be prevented from entering your network at the border. Same for reassembling of fragmented packets. So deal with this on the modem/router. Anti-spoof shouldn't be done on lo0, if you get spoofed packets on the loopback interface you have some seriously bad applications running on the host itself. There's not much to "anti-spoof" anyway if the machine only has one interface.

You're really not going to need much more than this:
Code: 
int_if="em0"

set skip on lo0

block in all
pass out on $int_if
 
I understand better :). It is true that all the examples found on the internet, there's lo0.

I changed the rules, which gives:
Code: 
antispoof quick for { $int_if $def_gateway } inet
block in $log_block quick on $def_gateway from ‹martians› to any
block out $log_block quick on $def_gateway from any to ‹martians›
It is correct? :D

My pf.conf file is not complete, it's just a part I give.
 
block ... on or pass ... on requires an interface name, not an IP address.

pf.conf(5):
Code: 
     on <interface>
           This rule applies only to packets coming in on, or going out
           through, this particular interface or interface group.  For more
           information on interface groups, see the group keyword in
           ifconfig(8).

Same for antispoof for, it also requires an interface, not an IP address.
 
You must log in or register to reply here.
Back
Top