Community discussions

 
User avatar
jp
Long time Member
Long time Member
Topic Author
Posts: 599
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

firewall feature suggestion

Wed Feb 13, 2008 6:12 pm

I would suggest an optionally enabled feature in the firewall filtering for routers that:
1. Looks at the routing table.
2. Discards the default route(s) from it's read-only observation of the routing table, (or routes that use a specified upstream interface.)
3. Builds a firewall ruleset where packets not having source addresses in those IP ranges found in the routing table are discarded or handled by a user specified option.
4. Maintains the correlation between routing table and firewall.

This feature could then be applied to an interface, and it would stop all spoofing very easily and automatically.

It has long been a good security practice to not let packet pass through routers when you know they don't come or don't look like they come from your own network. (Unless you are an upstream BGP player, then there are BGP Filters for that). However, I have a big network with lots of MTs and lots of IP ranges and am always adding IP ranges, changing things, etc.. and it is not practical to manually create rules like this that block forged packets or illegitimate packet sources. I was recently reminded I should be doing more firewalling of this nature after seeing how the v3.2 snmp exploit's source forging works so well and easily.
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Re: firewall feature suggestion

Fri Mar 07, 2008 9:12 pm

On other platforms the same has been implemented by doing a route lookup on source address and comparing packet in-interface with route out-interface.
I too want to see such a feature. 1 rule to end all locally spoofing. It would be awesome!
Move along. Nothing to see here.
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 598
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: firewall feature suggestion

Mon Mar 24, 2008 9:09 pm

I would none-the-less LOVE to implement something like this for our PPPoE clients and the interfaces that serve DHCP to our CPEs
 
changeip
Forum Guru
Forum Guru
Posts: 3803
Joined: Fri May 28, 2004 5:22 pm

Re: firewall feature suggestion

Mon Mar 24, 2008 10:43 pm

i was working on a script and address-list to do this, if i ever finish it i will post it.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: firewall feature suggestion

Wed Aug 27, 2008 2:38 pm

i was working on a script and address-list to do this, if i ever finish it i will post it.
hi changeip your script its really important please post it

Who is online

Users browsing this forum: No registered users and 118 guests