Add an Anti-spoofing document

Signed-off-by: Tom Eastep <teastep@shorewall.net>

docs/Anti-Spoofing.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Countering Spoofing Attempts</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2012</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para><firstterm>Spoofing</firstterm> is the practice of sending packets
+    with a forged source address in an attempt to circumvent security
+    measures. Shorewall supports a variety of measures to counter spoofing
+    attacks.</para>
+  </section>
+
+  <section>
+    <title>The <emphasis>routefilter</emphasis> Interface Option</title>
+
+    <para>This <ulink url="???">shorewall-interfaces</ulink> (5) option was
+    the first measure implemented and uses
+    <filename>/proc/sys/net/ipv4/conf/*/rp_filter</filename>. Many
+    distributions set this option by default for all ip interfaces. The option
+    works by determining the reverse path (the route from the packets
+    destination to its source); it that route does not go out through the
+    interface that received the packet, then the packet is declared to be a
+    martian and is dropped. A kernel log message is generated if the
+    interface's <option>logmartians</option> option is set
+    (<filename>/proc/sys/net/ipv4/conf/*/log_martians</filename>).</para>
+
+    <para>While this option is simple to configure, it has a couple of
+    disadvantages:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>It is not supported by IPv6.</para>
+      </listitem>
+
+      <listitem>
+        <para>It does not use packet marks so it doesn't work with some <ulink
+        url="MultiISP.html">Multi-ISP</ulink> configurations.</para>
+      </listitem>
+
+      <listitem>
+        <para>The log messages produces are obscure and confusing.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section>
+    <title>Hairpin Filtering</title>
+
+    <para>Spoofing can be used to exploit Netfilter's connection tracking to
+    open arbitrary firewall ports. Attacks of this type establish a connection
+    to a server that uses separate control and data connections such as an FTP
+    server. It then sends a packet addressed to itself and from the server.
+    Such packets are sent back out the same interface that received them
+    (<firstterm>hairpin</firstterm>). In cases where the
+    <option>routerfilter</option> option can't be used, Shorewall 4.4.20 and
+    later will set up hairpinning traps (see the SFILTER_DISPOSITION and
+    SFILTER_LOG_LEVEL options in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+
+    <para>This automatic hairpin trapping is disabled on interfaces with the
+    <option>routeback</option> option.</para>
+  </section>
+
+  <section>
+    <title>The <emphasis>rpfilter</emphasis> Interface Option</title>
+
+    <para>A new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4.
+    This match performs reverse path evaluation similar to
+    <option>routefilter</option> but without the disadvantages:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>It is supported by both IPv4 and IPv6.</para>
+      </listitem>
+
+      <listitem>
+        <para>It uses packet marks so it works with all <ulink
+        url="MultiISP.html">Multi-ISP</ulink> configurations.</para>
+      </listitem>
+
+      <listitem>
+        <para>It produces standard Shorewall/Netfilter log messages controlled
+        by the RPFILTER_LOG_LEVEL option in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+      </listitem>
+
+      <listitem>
+        <para>Both the disposition and auditing can be controlled using the
+        RPFILTER_DISPOSITION option in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</article>

docs/Documentation_Index.xml

@@ -80,7 +80,7 @@
       <tgroup align="left" cols="3">
         <tbody>
           <row>
-            <entry/>
+            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
 
             <entry><ulink url="LXC.html">Linux Containers
             (LXC)</ulink></entry>
@@ -90,7 +90,7 @@
           </row>
 
           <row>
-            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
+            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
 
             <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
 
@@ -99,7 +99,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
+            <entry><ulink url="Actions.html">Actions</ulink></entry>
 
             <entry><ulink url="ConnectionRate.html">Limiting Connection
             Rates</ulink></entry>
@@ -109,7 +109,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Actions.html">Actions</ulink></entry>
+            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
@@ -117,8 +118,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            <entry><ulink url="Anatomy.html">Anatomy of
-            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
+            Shorewall</ulink></entry>
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
@@ -128,8 +129,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
+            <entry><ulink url="Anti-Spoofing.html">Anti-Spoofing
-            Shorewall</ulink></entry>
+            Measures</ulink></entry>
 
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>