This is probably going to be considered a newb question to most of you.
I have RTFM'ed the manual at http://www.openbsd.org/faq/pf/filter.html
several times now. I'm looking for specific pf rules to maybe address
some of the problems I've discovered on my system.
I have several custom services running that communicate over UDP on a
server in a data center. I am trying to play the devil's role, and am
using a tool called nemesis to inject UDP packets with false source
addresses from another server in the data center (different LAN, with
a Cisco router in between). So for example:
% nemesis udp -D 64.156.193.115 -y 10020 -S 64.156.193.115 -x 30001
I send this from a host with a different IP address. It's basically
sending a UDP packet to the 64.156.193.115 host, pretending that the UDP
packet came from the 64.156.193.115 host itself. Now, I had a process
listening on port 30001 on host 64.156.193.115, and verified that the
service listening on port 10020 did in fact respond to IP 64.156.193.115
port 30001 (the spoofed source IP and port).
I then tried to use nemesis to change the spoofed source address from
64.156.193.115 to 127.0.0.1 or 192.168.0.x, but nemesis wasn't able to
do this with the error message "ERROR: Incomplete packet injection. Only
wrote -1 bytes."
I happen to be running pf on my servers, but I'm using this in a very
minimalistic way - mostly to block certain IP addresses from certain
services (for example some guys in China spamming the opentracker
bit torrent tracking server).
A few questions:
1. Why can't I spoof a source address of 127.0.0.1? What is stopping
this from happening? nemesis can't do it. Also IPs like 192.168.0.x
cannot be spoofed (nemesis complains). Why?
2. What specific rules would you recommend for preventing spoofed
packets (obvious spoofs that is; I know that spoofed packets are
unpreventable in general)? Is there an example somewhere of just these
rules? I don't
really see an absolute need for such rules, but would be nice to have.
What do you think? Leave my system wide open and instead rely on
correctness of services themselves? For example, a rule blocking any
incoming packets on the physical interface that have a source address
equal to the address of the machine. Another example, block packets
coming in on physcial interface with source address 127.0.0.1 (is this
even possible, or will something like the OS itself block this?). Also
block incoming packets with source of 192.168.0.0 or any other of the
reserved LAN IP addresses, since my machine isn't on one of these LANs.
By the way I'm using FreeBSD 8.0 and 7.1.
I will have another completely different question related to pf a bit
later. :-)