Anti-Spoofing Rules - How do I do this with Murus?

Murus
Post Reply
megumi
Posts: 34
Joined: Wed Dec 31, 2014 2:31 pm

Anti-Spoofing Rules - How do I do this with Murus?

Post by megumi » Sun May 28, 2017 10:52 am

Hello,

I recently came across a writing about anti-spoofing rules in firewall. It says: "Packets with "internal" addresses cannot normally come from outside, and if they do, they must be spoofed and should be dropped." So, apparently it's important to have a rule early on to block such spoofed packets by matching packets with source addresses equal to the addresses of the firewall's interfaces or internal network, but coming in from outside, which is determined by the interface through which packets enter the firewall. And a sample pf rules were shown as:
# Tables: (1)
table <tbl.r9999.d> { 192.0.2.1 , 172.16.22.1 , 192.168.2.1 }
#
# Rule 0 (eth0)
#
block in log quick on en0 inet from <tbl.r9999.d> to any
block in log quick on en0 inet from 172.16.22.0/24 to any
#

I am a typical normal user. I am not protecting a network as such. I run pf on my laptop to protect it, because it is connected to internet pretty much all the time through home WiFi (192.168.0.0/16). So, I created a custom rule for my WiFi interface (en0) like this:
custom rule for anti-spoofing.png
Then I also created the same rule for 2 other internal network address ranges (in case I go somewhere else to join other WiFi networks):
custom rules for anti-spoofing.png
I think these rules look right, but they are at the bottom of the rule set list. How can I move them to somewhere near the top of the rule set list?

Or, am I doing something wrong or even unnecessary?

I'd appreciate any help or advice.

Megumi
You do not have the required permissions to view the files attached to this post.

hany
Posts: 389
Joined: Wed Dec 10, 2014 5:20 pm

Re: Anti-Spoofing Rules - How do I do this with Murus?

Post by hany » Thu Jun 01, 2017 6:06 pm

hello megumi,

you cannot put custom rules on top of rulelist, they must stay within they proper range. They are loaded at runtime into a dedicated anchor that stays at the end of the ruleset. This is because, to be effective, they must be matched after 'normal' rules.
About antispoofing: these 3 custom rules are not wrong but have little or nothing to do with antispoofing.
Antispoofing in Murus is achieved by two hardcoded rules that are activated in (almost) all Murus rulesets:

Code: Select all

block in quick from no-route to any
block in quick from urpf-failed

megumi
Posts: 34
Joined: Wed Dec 31, 2014 2:31 pm

Re: Anti-Spoofing Rules - How do I do this with Murus?

Post by megumi » Fri Jun 02, 2017 10:04 am

Hello Hany,

Thank you for your helpful reply. I can see those 2 rules in my ruleset, and I am glad that they achieve anti-spoofing protection. But could you explain what those 2 rules mean. I don't know what "no-route" means and what "urpf-failed" is.

Am I correct to understand that spoofing is to send a packet that 'pretends' to have come from within the LAN but really comes from outside the LAN?

I will remove the 3 custom rules that does nothing effective against spoofing.

Megumi

hany
Posts: 389
Joined: Wed Dec 10, 2014 5:20 pm

Re: Anti-Spoofing Rules - How do I do this with Murus?

Post by hany » Tue Jun 06, 2017 4:07 pm

But could you explain what those 2 rules mean. I don't know what "no-route" means and what "urpf-failed" is.
I'll answer quoting OpenBSD FAQ:
Unicast Reverse Path Forwarding

PF offers a Unicast Reverse Path Forwarding (uRPF) feature. When a packet is run through the uRPF check, the source IP address of the packet is looked up in the routing table. If the outbound interface found in the routing table entry is the same as the interface that the packet just came in on, then the uRPF check passes. If the interfaces don't match, then it's possible the packet has had its source address spoofed.
The uRPF check can be performed on packets by using the urpf-failed keyword in filter rules:

Code: Select all

block in quick from urpf-failed label uRPF
Note that the uRPF check only makes sense in an environment where routing is symmetric.
uRPF provides the same functionality as antispoof rules.

quoting man pf.conf:
no-route: Any address which is not currently routable.

urpf-failed: Any source address that fails a unicast reverse
path forwarding (URPF) check, i.e. packets coming
in on an interface other than that which holds the
route back to the packet's source address.
You can find more information about antispoof in pf here:
https://www.openbsd.org/faq/pf/filter.html#antispoof
but please note that this article refers to the latest version of OpenBSD's pf, not macOS's pf, which is older and uses a slightly different syntax.

megumi
Posts: 34
Joined: Wed Dec 31, 2014 2:31 pm

Re: Anti-Spoofing Rules - How do I do this with Murus?

Post by megumi » Thu Jun 08, 2017 10:10 am

Thank you, hany. I don't fully understand all of the technical details, but I get enough to feel re-assured.

Megumi

Post Reply