Saturday, October 17, 2009

A note on ipfwadm spoof package protection

I was studying how to set up firewall rules for ipfwadm Linux command. In the process, I found some sample codes in filtering spoofed packets. However, I can't agree with the code.

Here is the code:

EXTERNNET=""; # Subnetted external segment
ipfwadm -I -p accept
ipfwadm -I -a deny -V $IFINTERN -S $EXTERNNET -o

I thought about it and I think the code is in error. First of all, you can't defined an EXTERNNET. The EXTERNNET should be anything that is not your internal segment. But the ipfwadm syntax do not allow you to specify a negate or the supplement set. To over come this in this code setting, we should first allow the internal subnet:

ipfwadm -I -a accept -V $IFINTERN -S $INTERNNET -o

Then denied all others:

ipfwadm -I -a deny -V $IFINTERN -S $ANYWHERE -o

Of cause, depend on other rules, the deny statement may have to be moved toward the end so not to interfere with other rules.

No comments:

Post a Comment