Subject: re: disabling source routing and ip-forwarding in netbsd-current?
To: None <current-users@NetBSD.ORG, netbsd@virtual.cuc.ab.ca>
From: Danny Boulet <danny@nahanni.BouletFermat.ab.ca>
List: current-users
Date: 04/07/1995 20:51:52
    From: netbsd@virtual.cuc.ab.ca (Netbsd maildrop)

    thanks to those that replied with the solution to those problems.
    my next question: how would i modify the kernel so that incoming packets
    from a particular interface (let's say ppp0) that have a source address of
    my machine get logged and dropped?

Why not use a packet filtering firewall?  Customizing your kernel to the
extent that you are talking about is going to make future upgrades a
lot more work than they need to be.  Use something like my ipfirewall
facility (or one of the others) to specify what you want to accept from
where.  It is a LOT more flexible than constantly having to make kernel
mods as you install kernel upgrades.

To block packets from ppp0 that have a certain source address, you would
use the ipfirewall command:

	ipfirewall addb ppp0 reject from my_machine to 0/0

Assuming that my_machine is on an interior class C network, the following
would block any packets appearing to come from any machine on the class
C network:

	ipfirewall addb ppp0 reject from my_machine/24 to 0/0

One catch with this approach is that you will reject packets that originate
on your machine and are self-addressed, if the source address used was
my_machine's host address (as opposed to the address of one of your other
network interfaces).  The kernel mods necessary to distinguish this case are
probably down in the network interface driver code itself.  On the other
hand, it isn't very hard to setup your machine so that self-addressed
packets don't appear to arrive via the untrusted interface.

-Danny

P.S. I'm out of town next week.  How about picking up a copy of my critter
and having a look at what it does from

    ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0.gz

or

    ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0.gz

Even if you end up using some other packet filtering facility, I'm sure
that you'll end up spending a lot less time on the problem than you've
already invested in the source routing stuff and what not.