This is probably going to be considered a newb question to most of you.
I have RTFM'ed the manual at
several times now.  I'm looking for specific pf rules to maybe address
some of the problems I've discovered on my system.

I have several custom services running that communicate over UDP on a
server in a data center. I am trying to play the devil's role, and am using a tool called nemesis to inject UDP packets with false source addresses from another server in the data center (different LAN, with
a Cisco router in between).  So for example:

% nemesis udp -D -y 10020 -S -x 30001

I send this from a host with a different IP address. It's basically sending a UDP packet to the host, pretending that the UDP packet came from the host itself. Now, I had a process listening on port 30001 on host, and verified that the service listening on port 10020 did in fact respond to IP port 30001 (the spoofed source IP and port).

I then tried to use nemesis to change the spoofed source address from to or 192.168.0.x, but nemesis wasn't able to
do this with the error message "ERROR: Incomplete packet injection.  Only
wrote -1 bytes."

I happen to be running pf on my servers, but I'm using this in a very
minimalistic way - mostly to block certain IP addresses from certain
services (for example some guys in China spamming the opentracker
bit torrent tracking server).

A few questions:

1. Why can't I spoof a source address of  What is stopping
this from happening?  nemesis can't do it.  Also IPs like 192.168.0.x
cannot be spoofed (nemesis complains).  Why?

2. What specific rules would you recommend for preventing spoofed
packets (obvious spoofs that is; I know that spoofed packets are unpreventable in general)? Is there an example somewhere of just these rules? I don't
really see an absolute need for such rules, but would be nice to have.
What do you think?  Leave my system wide open and instead rely on
correctness of services themselves?  For example, a rule blocking any
incoming packets on the physical interface that have a source address
equal to the address of the machine. Another example, block packets coming in on physcial interface with source address (is this even possible, or will something like the OS itself block this?). Also block incoming packets with source of or any other of the reserved LAN IP addresses, since my machine isn't on one of these LANs.

By the way I'm using FreeBSD 8.0 and 7.1.

I will have another completely different question related to pf a bit later. :-)

Reply via email to