|
|
ifaccess.conf(4)
Contents
|
ifaccess.conf - Interface access filter configuration file
The /etc/ifaccess.conf file is an optional system file
that specifies access filter entries for network interfaces.
Interface access filtering provides a mechanism
for detecting and preventing IP spoofing attacks. (See
CERT Advisory CA-95:01). The source addresses of IP input
packets are checked against interface access filter
entries; packets receive the action associated with the
first matching entry. The /etc/ifaccess.conf file is read
by the /usr/sbin/ifconfig command when called with the
filter option.
The /etc/ifaccess.conf file is defined as a Context-Dependent
Symbolic Link (CDSL), and must be maintained as such.
See the System Administration manual for more information.
Lines in /etc/ifaccess.conf may be comment lines beginning
with a number sign (#), blank lines, or access filter
entries with the following format: interface_id address
mask action
In the preceding format: Specifies the network interface
for which this entry applies. Is specified as a host
name, network name, or an Internet address in the standard
dotted-decimal notation. Specifies which bits of the
address are significant. The mask can be specified as a
single hexadecimal number beginning with 0x, in the standard
Internet dotted-decimal notation, or beginning with a
name. The mask contains 1s (ones) for the bit positions in
address that are significant. Specifies an entry to match
packets against. The following actions are allowed: permit,
deny, or denylog. Packets matching an entry with a
permit action are passed to higher levels; packets matching
an entry with a deny action are dropped; packets
matching an entry with a denylog action are dropped, with
a descriptive message sent to the system error logging
facility.
To prevent host spoofing, you must determine which networks
are not secure and which interfaces are connected to
those networks. For example, if a host is connected to a
secure, trusted network on one interface and to nontrusted
(non-secure) network on a second interface, you
need to add an entry for the non-trusted network interface
in the host's ifaccess.conf file. Interfaces connected to
trusted networks do not require an entry in the ifaccess.conf
file.
By default, the ifaccess.conf file contains an entry for
each configured adapter that disables localhost as a
source address. To enable access filtering on an interface,
issue the ifconfig command with the filter parameter
for the interface. For example, for tu0, the command is as
follows: # ifconfig tu0 filter
Use the netstat(1) command to display the current access
filters for the interface.
Some machines send IP broadcast messages to the alternate
all-zeros address instead of the all-ones address. This
generates the following error: ipintr: IP addr 0.0.0.0 on
interface: access denied You should consider this error
equivalent to the following error: ipintr: IP addr
255.255.255.255 on interface: access denied Use the tcpdump
command to capture and examine the IP packets in
order to find out about the machine sending them.
An interface access filter entry mask must have at least
as many significant bits set as the address.
Interface access filters have an implicit default permit
all entry at the end.
Interface access filter entries are assigned in the order
in which they appear in /etc/ifaccess.conf, with packets
receiving the action of the first entry that matches.
At most IFAF_MAXENTRIES access filter entries may be
assigned for each network interface. (See the
/usr/sys/include/net/if.h file.)
A default deny all entry may be configured by adding an
entry similar to the following as the last entry for
interface xyz0 in /etc/ifaccess.conf file: xyz0 0.0.0.0
0.0.0.0 deny
Only address family inet is supported.
The following example shows the ifaccess.conf files for
two hosts, Host A and Host B, on a network; trusted is the
trusted network. Host A connects to the trusted network
via the fza0 interface and connects to an untrusted network,
insecure1, via the ln0 interface.
Host A's ifaccess.conf file includes the following entry:
ln0 trusted 255.255.255.0 deny # deny all packets
from hosts that
# claim they originated
from the
# secure network.
Host B connects to the trusted network via the fza0 interface;
connects to an untrusted network, insecure1, via the
ln0 interface; and connects to another untrusted network,
insecure2, via the ln1 interface. Host B's ifaccess.conf
file includes the following entries: ln0 trusted
255.255.255.0 deny # deny all packets from hosts
that
# claim they originated
from the
# secure network.
ln1 trusted 255.255.255.0 deny # deny all packets
from hosts that
# claim they originated
from the
# secure network.
Note that there is no entry in the ifaccess.conf file for
the trusted network device, fza0. Only the untrusted network
interfaces are configured with ifaccess.conf.
Specifies the path name for the file. Network interface
structures header file. Internet address and version
structures header file.
Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8).
delim off
ifaccess.conf(4)
[ Back ] |
