[plug] OT: Smoothwall

Matt Kemner zombie at wasp.net.au
Mon Aug 13 11:30:37 WST 2001


On Mon, 13 Aug 2001, Brad Campbell wrote:

> If I have a box, with ppp0 and eth0 on it. The default route is through ppp0
> and 192.168.1.* is routed through eth0.
> 
> A spoofed packet comes in from 192.168.1.1 sourced through ppp0.
> Should the reply to that packet be routed through eth0, therefore
> the sender of the spoofed packet will get no reply.
> If so, then the packet spoofing could not be used to establish a connection,
> just provide transport for an attack that requires no reverse traffic.

You are correct - hence why TCP/IP uses the "3 way handshake" to initiate
a connection - to prevent spoofing.  However UDP and ICMP are vulnerable
to spoofing.  This is why it is always a good idea to add a rule such as:

ipchains -A input -i ppp0 -s 192.168.1.0/24 -l -j REJECT

which rejects (and logs) any packets coming in over ppp0 claiming to have
a source address of your internal network.

If you can't trust people internal to your network to do the "right thing"
it is always a good idea to do the reverse

ie assuming you had the ip address range "192.168.1.0/24" routed to you
from the world it would be a good idea to add a rule such as

ipchains -A output -i ppp0 -s ! 192.168.1.0/24 -l -j REJECT

which prevents people on your network pretending to be someone they are
not.

If all ISPs in the world set up egress filtering such as this, the 'net
would be a much better place.

 - Matt




More information about the plug mailing list