Subject: Re: ipf rules
To: Erik Huizing <huizing@cpsc.ucalgary.ca>
From: Andrew Gillham <gillham@vaultron.com>
List: current-users
Date: 12/13/2000 21:11:35
Erik Huizing writes:
> All the machines on my lan have 192.168.1.x addresses, they all use
> 192.168.1.16 as their router.
> My firewall/server is 24.65.241.78 with 192.168.1.16 as an alias
> the NAT rules I've got are like this
> map ep0 192.168.1.1/28 -> 0.0.0.0/32
> 
> Right now, my ipf rules are
> 
> block in quick from 172.16.0.0/12 to any
> block in quick from 10.0.0.0/8 to any
> 
> pass in proto tcp/udp all
> pass out proto tcp/udp all
> 
> I'd like to block the 192 block if its comming from the cable modem. I've
> only got one NIC in my machine hence the alias. So is it possible for me
> to block the 192.168 segment, or do I need another NIC?

As already stated, you really need another NIC. :-)

Ignoring the whole "ARP on a cable modem issue", you might get somewhere
with the following rules.
   pass in quick from 192.168.1.0/28 to 192.168.1.16/32
   block in quick from 192.168.0.0/16 to 192.168.1.0/28
   block in quick from 192.168.0.0/16 to 24.65.241.78/32
   block in quick from 172.16.0.0/12 to any
   block in quick from 10.0.0.0/8 to any
   pass in proto tcp/udp all
   pass out proto tcp/udp all

Basically the first rule should allow your local clients to talk to your
alias address, and the second rule blocks any 192.168.0.0 address from
talking to any of your local clients.  The third rule would stop any packets
from actually reaching your outside ip.  Obviously someone can still target
the 192.168.1.16 address from the outside, but they shouldn't be able to
get packets to your local machines. (other than via an ARP method)
Unfortunately you will not be able to tell the difference between an attacker
with a 192.168.1.0/28 spoofed source address and your local client with that
address. (when the destination address is 192.168.1.16)

Hmm, well it seems like it would almost work, but it is not a "real" answer.

-Andrew