[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Bogus network filtering
 Date:  Wed, 13 Jul 2005 12:22:23 -0400
After reading the follwing resource I have a couple of questions
regarding Bogus networks and smruf attacks.
http://www.obfuscation.org/ipf/ipf-howto.html

{EXISTING IN M0N0WALL} 
# Existing from unparsed ipnat rules status.php
# block anything from private networks on WAN interface 
@15 block in log quick on xl0 from 10.0.0.0/8 to any
@16 block in log quick on xl0 from 127.0.0.0/8 to any
@17 block in log quick on xl0 from 172.16.0.0/12 to any
@18 block in log quick on xl0 from 192.168.0.0/16 to any

# from unparsed ipnat rules status.php
# WAN spoof check
block in log quick on xl0 from 192.168.222.0/24 to any
block in log quick on xl0 from 192.168.2.0/24 to any

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
skip 2 in on rl1 from 192.168.2.0/24 to any
skip 1 in on rl1 from 192.168.222.0/24 to any
block in log quick on rl1 all
skip 1 in on rl0 from 192.168.2.0/24 to any
block in log quick on rl0 all


?? Since m0n0wall uses the "keep state" keyword, Is there a point to
entereing the following for the WAN FW Rules.

# Bogus Network Filtering
block in log quick on xl0 from 0.0.0.0/7 to any
block in log quick on xl0 from 2.0.0.0/8 to any
block in log quick on xl0 from 5.0.0.0/8 to any
block in log quick on xl0 from 23.0.0.0/8 to any
block in log quick on xl0 from 27.0.0.0/8 to any
block in log quick on xl0 from 31.0.0.0/8 to any
block in log quick on xl0 from 70.0.0.0/7 to any
block in log quick on xl0 from 72.0.0.0/5 to any
block in log quick on xl0 from 83.0.0.0/8 to any
block in log quick on xl0 from 84.0.0.0/6 to any
block in log quick on xl0 from 88.0.0.0/5 to any
block in log quick on xl0 from 96.0.0.0/3 to any
block in log quick on xl0 from 128.0.0.0/16 to any
block in log quick on xl0 from 128.66.0.0/16 to any
block in log quick on xl0 from 169.254.0.0/16 to any
block in log quick on xl0 from 191.255.0.0/16 to any
block in log quick on xl0 from 192.0.0.0/19 to any
block in log quick on xl0 from 192.0.48.0/20 to any
block in log quick on xl0 from 192.0.64.0/18 to any
block in log quick on xl0 from 192.0.128.0/17 to any
block in log quick on xl0 from 197.0.0.0/8 to any
block in log quick on xl0 from 201.0.0.0/8 to any
block in log quick on xl0 from 204.152.64.0/23 to any
block in log quick on xl0 from 219.0.0.0/8 to any
block in log quick on xl0 from 220.0.0.0/6 to any
block in log quick on xl0 from 224.0.0.0/3 to any

>>  WAN Spoof Check.. 
block in log quick on xl0 from any to 192.168.222.0/32
block in log quick on xl0 from any to 192.168.222.255/32
block in log quick on xl0 from any to 192.168.2.0/32
block in log quick on xl0 from any to 192.168.2.255/32

Assuming the answer is yes, am I correct in placing the rules ahead of
my user defined "pass in" for WAN interface.

@22 block in log quick on xl0 from any to any head 200
-->{add bogus network blocks}
@1 pass in quick proto gre from any to 192.168.222.40/32 keep state group 200
@2 pass in quick proto tcp from any to 192.168.222.40/32 port = 1723
keep state group 200
@3 pass in quick proto tcp from any to 192.168.222.4/32 port = 80 keep
state group 200
@4 pass in quick proto tcp from any to 192.168.222.4/32 port = 443
keep state group 200
@5 pass in quick proto tcp from any to 192.168.222.6/32 port = 80 keep
state group 200
@6 pass in quick proto tcp from any to 192.168.222.6/32 port = 443
keep state group 200
@7 pass in quick proto tcp from any to 192.168.222.8/32 port = 443
keep state group 200
@8 pass in quick proto tcp from any to 192.168.222.9/32 port = 443
keep state group 200
@9 pass in quick proto tcp from any to 192.168.222.18/32 port = 25
keep state group 200
@10 pass in quick proto tcp from any to 192.168.222.18/32 port = 110
keep state group 200
@11 pass in quick proto tcp from any to 192.168.222.18/32 port = 32000
keep state group 200
-->{add smurf attack stuff last}