PF Antispoof & martians

Q

Quim

Hi,

I'm trying to figure out if the antispoof ruleset will do anything extra for me if I'm already blocking RFC1918 on $ext_if, cause with my ruleset I don't think it does - am I wrong?

"The basic idea of anti-spoofing protection is to create a firewall rule assigned to the external interface of the firewall that examines source address of all packets crossing that interface coming from outside. If the address belongs to the internal network or the firewall itself, the packet is dropped."

Code: 
nonroute="{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"

Code: 
## Block nonrouteable
block drop in quick on $ext_if from $nonroute to any
block drop out quick on $ext_if from any to $nonroute

What would this rule do for me?
Code: 
antispoof log quick for $ext_if

Better just paste my entire ruleset here for you to evaluate, having antispoof commented for now.
I got a public IP on em0/$ext_if

Code: 
ext_if ="em0"
int_if="em1"
internal_net="10.0.0.0/24" # my internal subnet
gaming="10.0.0.20" # gaming pc

nonroute="{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"
tcp_services = "{ xxxx, xxxx, xxxx, ssh }"
udp_services = "{ xxx, xxxx }"
warzone_tcp_udp = "{ 27000:27050, 3074 }"
warzone_udp = "{ 4379:4380, 3478 }"

## Traffic Normalization
scrub in all fragment reassemble no-df random-id max-mss 1440

# NAT
nat on $ext_if from $internal_net to any -> ($ext_if) static-port

# Port forwarding
rdr pass on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $warzone_tcp_udp -> $gaming
rdr pass on $ext_if inet proto udp from any to ($ext_if) port $warzone_udp -> $gaming

## Allow all traffic on loopback,  virtual and internal interfaces
set skip on { lo0, $int_if, vm-public, tap0, tap1 }
# antispoof
# antispoof log quick for $ext_if

## Block inbound on external NIC
block return log on $ext_if all

# Pass outbound on external interface
pass out on $ext_if inet all keep state

## Open up traffic for FreeBSD services
pass in quick proto tcp to any port $tcp_services keep state
pass in quick proto udp to any port $udp_services keep state

# Allow ping
pass inet proto icmp from any to any

## Block nonrouteable
block drop in quick on $ext_if from $nonroute to any
block drop out quick on $ext_if from any to $nonroute
 
Quim said:
I'm trying to figure out if the antispoof ruleset will do anything extra for me if I'm already blocking RFC1918 on $ext_if, cause with my ruleset I don't think it does - am I wrong?
Click to expand...
You're not wrong.
 
Hehe thank you SirDice.

Was actually just discussing this with a friend and told him that I would put the question up here, saying that SirDice will probably give me an answer! :D

Have a nice weekend
 
Hi, I'm currently learning how to configure PF for the first time and I'm still reading all of the documentation before I post a new thread with questions. But I thought this would be a good place to ask the following...

Why does everyone seem to have a slightly different list of Martian blocks??

In the documentation and a number of online tutorials, RFC1918 is mentioned but everyone's list seems to be a little different. Some people have more IP ranges listed than others. No two examples are the same.

For example Quim lists 224.0.0.0/3 (which I believe should be 224.0.0.0/4??) but does not list 240.0.0.0/4, which accounts for another 268 MILLION addresses. Also, I don't see 20.20.20.0/24 listed in any RFC (I may have missed that one?).

I looked at RFC1918 but it's actually RFC5735 that lists all of the Martian prefixes:
datatracker.ietf.org

RFC 5735: Special Use IPv4 Addresses

This document obsoletes RFC 3330. It describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries, nor does...
datatracker.ietf.org datatracker.ietf.org

Except, it doesn't list 100.64.0.0/10 because that wasn't reserved until 2012:
datatracker.ietf.org

RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space

This document requests the allocation of an IPv4 /10 address block to be used as Shared Address Space to accommodate the needs of Carrier- Grade NAT (CGN) devices. It is anticipated that Service Providers will use this Shared Address Space to number the interfaces that connect CGN devices to...
datatracker.ietf.org datatracker.ietf.org

I'm really not trying to sound like a smart ass here. I REALLY don't know what I'm doing with PF rule sets yet!! But I thought it would be cool if I didn't need to use "antispoof" if I included all of the Martian address blocks in a table. But why does everyone have a different list? Am I missing something??

Thanks!!
 
Haha I actually updated my martians ruleset (now table instead of macro too), I think I based it on Openbsds manual, plus Absolute Freebsd book

Code: 
<martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
203.0.113.0/24 255.255.255.255 }

So the answer is just add all the RFCs that says these are internal or reserved for research = should not be used on the open Internet anymore, some people probably block some countries too. (I've seen rulesets where some Microsoft ip-ranges are blocked, I think thats the 20.20.20.0/24 range "MICROSOFT-CORP-MSN-AS-BLOCK")

Maybe we could gather all the ip-ranges in this thread? :)

Sources/explanations for the ip-ranges would be appreciated!
 
Regarding 224.0.0.0/4 vs 224.0.0.0/3 the difference just seems to make sure that all the adresses above 224 all the way up to 255 is blocked. So maybe it's not a good idea to block /3 if 240 and above is used on the open Internet.
HostMax: 255.255.255.254
instead of
HostMax: 239.255.255.254 (with 255.255.255.255 as broadcast)

edit: I just saw this in your wikipedia link: 240.0.0.0/4
So 224.0.0.0/3 just removes the need to block 240.0.0.0/4, since its included.
 
I added this, since I read that it in many circumstances (normal home), would do the same as antispoof.

block in log quick from urpf-failed to any
 
Quim said:
I added this, since I read that it in many circumstances (normal home), would do the same as antispoof.
Click to expand...
Just in case it isn't obvious yet: That's only true if you have just one local network.

In case of different network segments assigned to different network interfaces, antispoof will make sure packets from source addresses in the network of one interface will be blocked if arriving on a different one.

I don't see a reason against just always enabling antispoof rules.
 
I am completely rewriting this post to fix the misinformation I just spread. Anyway, what I meant to say is dhcp on your external interface may not work properly because of dhcp requests to 255.255.255.255 being blocked. Before your outbound martians rule you’ll want to pass out quick on ($ext_if) to 255.255.255.255.
 
I have drop in and out quick martians before my pass out rule on ext_if, it works fine.

Code: 
Feb 11 05:03:46 xxx dhclient[659]: DHCPREQUEST on em0 to 194.16.0.0 port 67
Feb 11 05:03:46 xxx dhclient[659]: DHCPACK from 194.16.0.0
Feb 11 05:03:46 xxx dhclient[659]: bound to 176.xxx.xx.2 -- renewal in 600 seconds.
Feb 11 05:13:46 xxx dhclient[659]: DHCPREQUEST on em0 to 194.16.0.0 port 67
Feb 11 05:13:46 xxx dhclient[659]: DHCPACK from 194.16.0.0
Feb 11 05:13:46 xxx dhclient[659]: bound to 176.xxx.xx.2 -- renewal in 600 seconds.

Edit: removed ramblings.

But hmm dhcpclient discover which goes out on 255.255.255.255 should not work, with my config, right? And same goes for the reply (before ext_if has an IP). But I don't have any issues how is that possible?
 
Last edited:
Code: 
(05:32:26 <~>) 0 $sudo pfctl -s rules
scrub in all no-df random-id max-mss 1440 fragment reassemble
block return in log quick from urpf-failed to any
block drop in quick on em0 from <martians> to any
block drop out quick on em0 from any to <martians>
block return in on em0 all
anchor "blacklistd/*" in on em0 all
pass in quick proto tcp from any to any port = xxx flags S/SA keep state
pass in quick proto tcp from any to any port = xxx flags S/SA keep state
pass in quick proto tcp from any to any port = xxx flags S/SA keep state
pass in quick proto tcp from any to any port = ssh flags S/SA keep state
pass in quick proto udp from any to any port = xxx keep state
pass in quick proto udp from any to any port = xxx keep state
pass out quick on em0 inet all flags S/SA keep state
pass in on em0 inet proto icmp from any to (em0) icmp-type unreach keep statepass in on em0 inet proto icmp from any to (em0) icmp-type redir keep state
pass in on em0 inet proto icmp from any to (em0) icmp-type timex keep state
pass in on em0 inet proto icmp from any to (em0) icmp-type echoreq keep state(05:32:58 <~>) 0 $
 
Brian546 said:
I am completely rewriting this post to fix the misinformation I just spread. Anyway, what I meant to say is dhcp on your external interface may not work properly because of dhcp requests to 255.255.255.255 being blocked. Before your outbound martians rule you’ll want to pass out quick on ($ext_if) to 255.255.255.255.
Click to expand...
You gotta remove the parenthesis on ext_if in that rule.
 
This is the /etc/pf.conf ruleset I'm using on this machine as I post;

Code: 
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010, 8080 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


The same ruleset at work as I post

Code: 
root@unmei:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.46 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto tcp from any to any port = http-alt
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.46:63161 -> 34.107.221.82:80       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:27115 -> 34.213.33.47:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:33383 -> 130.211.19.189:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:59303 -> 34.107.221.82:80       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:62968 -> 208.80.153.224:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:59838 -> 199.232.68.201:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.46:57729 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.46:55928 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2

INFO:
Status: Enabled for 3 days 23:23:53           Debug: Urgent

State Table                          Total             Rate
  current entries                        8               
  searches                          611349            1.8/s
  inserts                            15940            0.0/s
  removals                           15932            0.0/s
Counters
  match                              30076            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@unmei:/ #
 
Rob215x said:
Hi, I'm currently learning how to configure PF for the first time and I'm still reading all of the documentation before I post a new thread with questions. But I thought this would be a good place to ask the following...

Why does everyone seem to have a slightly different list of Martian blocks??

In the documentation and a number of online tutorials, RFC1918 is mentioned but everyone's list seems to be a little different. Some people have more IP ranges listed than others. No two examples are the same.

For example Quim lists 224.0.0.0/3 (which I believe should be 224.0.0.0/4??) but does not list 240.0.0.0/4, which accounts for another 268 MILLION addresses. Also, I don't see 20.20.20.0/24 listed in any RFC (I may have missed that one?).

I looked at RFC1918 but it's actually RFC5735 that lists all of the Martian prefixes:
datatracker.ietf.org

RFC 5735: Special Use IPv4 Addresses

This document obsoletes RFC 3330. It describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries, nor does...
datatracker.ietf.org datatracker.ietf.org

Except, it doesn't list 100.64.0.0/10 because that wasn't reserved until 2012:
datatracker.ietf.org

RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space

This document requests the allocation of an IPv4 /10 address block to be used as Shared Address Space to accommodate the needs of Carrier- Grade NAT (CGN) devices. It is anticipated that Service Providers will use this Shared Address Space to number the interfaces that connect CGN devices to...
datatracker.ietf.org datatracker.ietf.org

I'm really not trying to sound like a smart ass here. I REALLY don't know what I'm doing with PF rule sets yet!! But I thought it would be cool if I didn't need to use "antispoof" if I included all of the Martian address blocks in a table. But why does everyone have a different list? Am I missing something??

Thanks!!
Click to expand...
One thing that has me lost is the use of term 'Martian', as in 'Martian prefix', 'Martian blocks'. My educated guess (based on the context) is that 'Martian' means 'Anything not on my network'.

Off the top of my head, I remember reading somewhere that just blocking a range of IP addresses is only useful on internal networks, but not on the Internet.

Basically, I'd like to suggest that you start simple. Start with something that you understand, and can make sense of. Take good notes. And then go from there on to more complex scenarios. :)
 
Quim said:
I have drop in and out quick martians before my pass out rule on ext_if, it works fine.

Code: 
Feb 11 05:03:46 xxx dhclient[659]: DHCPREQUEST on em0 to 194.16.0.0 port 67
Feb 11 05:03:46 xxx dhclient[659]: DHCPACK from 194.16.0.0
Feb 11 05:03:46 xxx dhclient[659]: bound to 176.xxx.xx.2 -- renewal in 600 seconds.
Feb 11 05:13:46 xxx dhclient[659]: DHCPREQUEST on em0 to 194.16.0.0 port 67
Feb 11 05:13:46 xxx dhclient[659]: DHCPACK from 194.16.0.0
Feb 11 05:13:46 xxx dhclient[659]: bound to 176.xxx.xx.2 -- renewal in 600 seconds.

Edit: removed ramblings.

But hmm dhcpclient discover which goes out on 255.255.255.255 should not work, with my config, right? And same goes for the reply (before ext_if has an IP). But I don't have any issues how is that possible?
Click to expand...
Question: "Why is the Pf firewall able to negotiate DHCP requests even though there are no rules allowing this operation?"

Answer:"DHCP uses BPF (similar to the way tcpdump does) and is below PF and thus not restricted" by PF."
 
Last edited:
You must log in or register to reply here.
Back
Top