PF Which local IPv6 addresses should I block?

M

Mayhem30

I currently use this to block select local IPv4 addresses :

Code: 
table <deny_local> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }
block in quick on $EXT_IF from <deny_local> to any

Which local IPv6 addresses should be added to that list?
 
I do block everything incoming, but I thought something extra was needed to block people pretending to be the local network.

Are any of these Antispoof rules necessary then?

Code: 
set skip on lo0
...
..

# Allow all outgoing traffic
pass out quick all


# Antispoof rules
antispoof quick for $EXT_IF
block in quick on $EXT_IF from no-route to any
block in quick on $EXT_IF from urpf-failed to any
block in quick on $EXT_IF from any to 255.255.255.255

# deny all incoming traffic
block in all

pass in quick on $EXT_IF ...
...
 
Mayhem30 said:
I currently use this to block select local IPv4 addresses :

Code: 
table <deny_local> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }
block in quick on $EXT_IF from <deny_local> to any

Which local IPv6 addresses should be added to that list?
Click to expand...
RFC 6890 lists various "Special Use" IP address ranges that you might wish to reject traffic from.

My /etc/pf.table.rfc6860:
Code: 
# RFC 6890: Special-Purpose IP Address Registry Entries
#
# IPv4 Special-Purpose Address Registry Entries
#
# "This host on this network"
0.0.0.0/8
# Private-Use
10.0.0.0/8
# Shared Address Space
100.64.0.0/10
# Loopback
127.0.0.0/8
# Link Local
169.254.0.0/16
# Private-Use
172.16.0.0/12
# IETF Protocol Assignments
192.0.0.0/24
# Documentation (TEST-NET-1)
192.0.2.0/24
# 6to4 Relay Anycast
192.88.99.0/24
# Private-Use
192.168.0.0/16
# Benchmarking
198.18.0.0/15
# Documentation (TEST-NET-2)
198.51.100.0/24
# Documentation (TEST-NET-3)
203.0.113.0/24
# Reserved
240.0.0.0/4
# Limited Broadcast
255.255.255.255/32
#
# IPv6 Special-Purpose Address Registry Entries
#
# Loopback
::1/128
# Unspecified Address
::/128
# IPv4-IPv6 Translation
64:ff9b::/96
# IPv4-mapped Address
::ffff:0:0/96
# Discard-Only Address Block
100::/64
# IETF Protocol Assignments
2001::/23
# 6to4
2002::/16
# Unique-Local
fc00::/7
 
SirDice said:
Why bother with specific ranges? Just block everything incoming, and only allow what you need.
Click to expand...
This seems like a question worth exploring, a bit.

At first blush, it seems reasonable. Only let in the traffic you need! But a closer look at what's happening shows that antispoof rules probably serve a useful purpose.

Let's look closely at what this policy seems to do, in common practice, where we see rules like this offered up as industry common practice in tutorials, forums, and examples galore:

Code: 
# example, over-simplified pf.conf

### deny all incoming traffic
block in all

### allow select ICMP for IPv4 and IPv6
pass in quick on $ext_if inet proto icmp icmp-type $ipv4_icmp_types
pass in quick on $ext_if inet6 proto ipv6-icmp icmp6-type $ipv6_icmp_types

### allow web clients to talk to the web server
pass in quick on $ext_if proto tcp from any to any port { 80, 443 } $tcp_state
pass in quick on $ext_if proto udp from any to any port 443 $udp_state

First, we block everything by default. So far, so good. The last-match pf processing seems to have our back, here, blocking all the spoofed packets!

Next, we allow traffic on the WAN interface in, if it matches certain ICMP types we allow, to be neighborly admins, and because they might be useful to us, from time to time.

Finally we allow traffic from the WAN interface to the web server, which is the raison d'être for our host. Also fine, and everything works!

But what happened to those spoofing attacks? Well, first we blocked them all. Party time!

Wait a second… our ruleset, like most pf rules we see in examples all over the Internet, allows in traffic based on type and target port.

In practice, restricting access by source IP address seems to be an exceptional case, for example, if we're limiting a privileged set of admin users access to a VPN or ssh only from pre-approved locations.

Our example rules above only blocked spoofing attacks there were targeted at services (ports) we don't offer! We let the IP Address Spoofing (Wikipedia) packets that were pretending to be ICMP or which were directed at our web server ports right on in! Oops!

So far, I remain of the impression that the easiest way to block most source-address spoofing attacks is to block the most common ones, which are pretending to be private networks, with a martian (aka bogon) rule.

I could possibly be talked out of this position, and it's entirely possible that I'm overlooking something, but the example explored above was selected specifically to be a fair representation of pf rules we commonly observe being recommended.
 
You must log in or register to reply here.
Back
Top