diff --git a/docs/Anti-Spoofing.xml b/docs/Anti-Spoofing.xml new file mode 100644 index 000000000..2c24ab79c --- /dev/null +++ b/docs/Anti-Spoofing.xml @@ -0,0 +1,127 @@ + + +
+ + + + Countering Spoofing Attempts + + + + Tom + + Eastep + + + + + + + 2012 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Spoofing is the practice of sending packets + with a forged source address in an attempt to circumvent security + measures. Shorewall supports a variety of measures to counter spoofing + attacks. +
+ +
+ The <emphasis>routefilter</emphasis> Interface Option + + This shorewall-interfaces (5) option was + the first measure implemented and uses + /proc/sys/net/ipv4/conf/*/rp_filter. Many + distributions set this option by default for all ip interfaces. The option + works by determining the reverse path (the route from the packets + destination to its source); it that route does not go out through the + interface that received the packet, then the packet is declared to be a + martian and is dropped. A kernel log message is generated if the + interface's option is set + (/proc/sys/net/ipv4/conf/*/log_martians). + + While this option is simple to configure, it has a couple of + disadvantages: + + + + It is not supported by IPv6. + + + + It does not use packet marks so it doesn't work with some Multi-ISP configurations. + + + + The log messages produces are obscure and confusing. + + +
+ +
+ Hairpin Filtering + + Spoofing can be used to exploit Netfilter's connection tracking to + open arbitrary firewall ports. Attacks of this type establish a connection + to a server that uses separate control and data connections such as an FTP + server. It then sends a packet addressed to itself and from the server. + Such packets are sent back out the same interface that received them + (hairpin). In cases where the + option can't be used, Shorewall 4.4.20 and + later will set up hairpinning traps (see the SFILTER_DISPOSITION and + SFILTER_LOG_LEVEL options in shorewall.conf (5)). + + This automatic hairpin trapping is disabled on interfaces with the + option. +
+ +
+ The <emphasis>rpfilter</emphasis> Interface Option + + A new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4. + This match performs reverse path evaluation similar to + but without the disadvantages: + + + + It is supported by both IPv4 and IPv6. + + + + It uses packet marks so it works with all Multi-ISP configurations. + + + + It produces standard Shorewall/Netfilter log messages controlled + by the RPFILTER_LOG_LEVEL option in shorewall.conf (5)). + + + + Both the disposition and auditing can be controlled using the + RPFILTER_DISPOSITION option in shorewall.conf (5)). + + +
+
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 0c97664fd..12f53e319 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -80,7 +80,7 @@ - + 6to4 and 6in4 Tunnels Linux Containers (LXC) @@ -90,7 +90,7 @@ - 6to4 and 6in4 Tunnels + Accounting Linux-vserver @@ -99,7 +99,7 @@ - Accounting + Actions Limiting Connection Rates @@ -109,7 +109,8 @@ - Actions + Aliased + (virtual) Interfaces (e.g., eth0:0) Logging @@ -117,8 +118,8 @@ - Aliased - (virtual) Interfaces (e.g., eth0:0) + Anatomy of + Shorewall Macros @@ -128,8 +129,8 @@ - Anatomy of - Shorewall + Anti-Spoofing + Measures MAC Verification