DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th December 2010
ripp3r ripp3r is offline
New User
 
Join Date: Dec 2010
Posts: 5
Default Can I spoof???

Hi guys,

as said I'm doing my graduation with PF.

Here's the scenario:

VM connected to the INT_IF (PF), then PF has another IF to go outside (actually my phisical router).

I've installed 2 VM, 1 win7 and the other BackTrack 4.

I set up that ONLY Win7 machine can ping and surf, everything works because if I try a ping with Win7 it successes, with BT it fails.

Now the "problem", in pf.conf I wrote the "anti spoof" rule but it doesn't seem to be working.

Win7 has the IP of 10.0.0.50 and BT has 10.0.0.100, from BT I can launch this command: sing -S 10.0.0.50 8.8.8.8 and I have replies!!!


I'm sure that I'm wrong somewhere... please look at the pictures that I've attacched.

Let me know something.
Attached Images
File Type: png PingSpoof&Normal.png (408.5 KB, 79 views)
File Type: png PFcfg&others.png (508.5 KB, 69 views)
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If I understand your configuration, both your test Win7 and BT virtual machines are on the 10/8 network.

Antispoof is designed to prevent external attacks from pretending they are using internal addresses. It does not do what you assume.

Please do the following:
  1. Read the Blocking Spoofed Packets section in the Packet Filtering chapter of the PF User's Guide.
  2. Use "# pfctl -s rules" to see the expansion of the antispoof command into specific filter rules in your test environment.
  3. Configure a new test, where your attacker is outside the subnet to be protected.
Reply With Quote
  #3   (View Single Post)  
Old 25th December 2010
ripp3r ripp3r is offline
New User
 
Join Date: Dec 2010
Posts: 5
Default

Ok I will try...

I just don't understand WHY PF considers SPOOF only at network-address level. If you think for a moment, you can compromise a network from inside or outside... and for me is worst if you compromise the network from inside 'cause it's considered a "protected" network.

What I mean is that many firewalls check the single IP instead of network-address related to the interface.

Anyway thank you for your reply!
Reply With Quote
  #4   (View Single Post)  
Old 26th December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

In your example, you spoofed an address on the same subnet. Your firewall was NOT involved.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick