[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anti-Spoofing - no-route



What is the difference between the 2 block'ing rules below
... table <garbage> { 127/8, 10/8, 172.16/12, 192.168/16, 255.255.255.255/32 }
... block in log quick on $exIF from no-route to any
... block in log quick on $exIF from <garbage> to any
i.e. what does no-route expand to.
The manual entry talks about no-route being any address that is not
currently routable. However, as I am routing 192.168.0.0/24 internally,
does that not get excluded?  I certainly do NOT want to see a source
address coming in from the outside with the same IPs as my own internal
addresses.
Are these rules redundant or complimentary?
Thanks - Damian
NOW - if my short explanation was too brief or poorly worded ....
PF filters between an external set of IPs, say 202.202.202.0/24 and an
internal network, 192.168.0.0/24.
Let's assume I want a bidirectional NAT of 202.202.202.145 on the
host which, behind the firewall is 192.168.0.145.  That is, I want
the outside world to think my host is 202.202.202.145.
The relevant pieces of /etc/pf.conf are
... exIF="de0"
... mail="192.168.0.145"
... table <garbage> { 127/8, 10/8, 172.16/12, 192.168/16, 255.255.255.255/32 }
... scrub in all
... # Expose A Host
... binat on $exIF from 192.168.0.145 to any -> 202.202.202.145
... # No spoofing
... block in  log quick on $exIF from no-route to any
... block in  log quick on $exIF from <garbage> to any
... # Pass through rules follow later
... pass in quick on $exIF\
...        proto tcp from any to 192.168.0.145 port 25 keep state
P.S. As soon as I saw the 'caveat' on the antispoof rule, I got worried.
When I couldn't find examples, I just gave up on it.
Pacific Engineering Systems International, 22/8 Campbell St, Artarmon NSW 2064
Ph:+61-2-99063377 .. Fx:+61-2-99063468   | unsolicited email not wanted here !
Views and opinions here are mine and not those of any past or present employer