Filtering Spoofed Packets | Absolute OpenBSD: Unix for the Practical Paranoid

One common way to defeat a less intelligent packet filter is to send fraudulent packets with a source address within the firewall. In theory, the firewall will pass those packets on into the network. If the intruder does everything exactly right, he could compute the likely response packets from packets he sends and compute the packets he would need to send in response to those, eventually building a sequence of packets to issue commands to a target machine without receiving any responses from it. This attack has been used before and will probably be used again.

To prevent this, filter out packets from interfaces that they couldn't possibly be coming in legitimately. For one very typical example, suppose you have an OpenBSD machine with two network cards. One card has the IP address 192.168.1.1/24 and is connected to your internal network, while the other is connected to the Internet and has whatever IP address your ISP has assigned. Packets with a source address beginning with 192.168.1 should not be entering your network from the card attached to the Internet. Similarly, packets with a source address of 192.168.1.1 should not be entering the firewall from either network card. You could write rules for this, but this is such a common situation that PF includes a statement for it, "antispoof." Here we block spoofed packets on the fxp0 interface:

 antispoof for fxp0

This statement automatically adds rules that block the Ethernet network directly attached to the interface from coming in on any other interface and that block the actual IP on that card from coming in over any network.

It's a good idea to provide antispoof protection for every network interface on your firewall, including the loopback interfaces. Providing antispoof protection on loopback interfaces can cause problems if software on your system attempts to communicate with the system via a local IP address. You'll need to add rules to bypass the antispoof protection in this instance. For that reason, I also suggest logging spoofed packets by adding the "log" keyword.

 antispoof log for fxp0

Now that you have a grip on the basics of packet filtering, let's consider some of PF's more interesting traffic-management abilities, which are discussed in the next chapter.