unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



ifaccess.conf(4)					     ifaccess.conf(4)



NAME

  ifaccess.conf	- Interface access filter configuration	file

DESCRIPTION

  The /etc/ifaccess.conf file is an optional system file that specifies
  access filter	entries	for network interfaces.	 Interface access filtering
  provides a mechanism for detecting and preventing IP spoofing	attacks. (See
  CERT Advisory	CA-95:01). The source addresses	of IP input packets are
  checked against interface access filter entries; packets receive the action
  associated with the first matching entry. The	/etc/ifaccess.conf file	is
  read by the /usr/sbin/ifconfig command when called with the filter option.

  The /etc/ifaccess.conf file is defined as a Context-Dependent	Symbolic Link
  (CDSL), and must be maintained as such.  See the System Administration
  manual for more information.

  Lines	in /etc/ifaccess.conf may be comment lines beginning with a number
  sign (#), blank lines, or access filter entries with the following format:

       interface_id address mask action

  In the preceding format:

  interface_id
      Specifies	the network interface for which	this entry applies.

  address
      Is specified as a	host name, network name, or an Internet	address	in
      the standard dotted-decimal notation.

  mask
      Specifies	which bits of the address are significant.  The	mask can be
      specified	as a single hexadecimal	number beginning with 0x, in the
      standard Internet	dotted-decimal notation, or beginning with a name.
      The mask contains	1s (ones) for the bit positions	in address that	are
      significant.

  action
      Specifies	an entry to match packets against.  The	following actions are
      allowed: permit, deny, or	denylog.  Packets matching an entry with a
      permit action are	passed to higher levels; packets matching an entry
      with a deny action are dropped; packets matching an entry	with a deny-
      log action are dropped, with a descriptive message sent to the system
      error logging facility.

  To prevent host spoofing, you	must determine which networks are not secure
  and which interfaces are connected to	those networks.	 For example, if a
  host is connected to a secure, trusted network on one	interface and to
  non-trusted (non-secure) network on a	second interface, you need to add an
  entry	for the	non-trusted network interface in the host's ifaccess.conf
  file.	 Interfaces connected to trusted networks do not require an entry in
  the ifaccess.conf file.

  By default, the ifaccess.conf	file contains an entry for each	configured
  adapter that disables	localhost as a source address.	To enable access
  filtering on an interface, issue the ifconfig	command	with the filter
  parameter for	the interface. For example, for	tu0, the command is as
  follows:

       # ifconfig tu0 filter

  Use the netstat(1) command to	display	the current access filters for the
  interface.

NOTES

  Some machines	send IP	broadcast messages to the alternate all-zeros address
  instead of the all-ones address. This	generates the following	error:

       ipintr: IP addr 0.0.0.0 on interface: access denied

  You should consider this error equivalent to the following error:

       ipintr: IP addr 255.255.255.255 on interface: access denied

  Use the tcpdump command to capture and examine the IP	packets	in order to
  find out about the machine sending them.

RESTRICTIONS

  An interface access filter entry mask	must have at least as many signifi-
  cant bits set	as the address.

  Interface access filters have	an implicit default permit all entry at	the
  end.

  Interface access filter entries are assigned in the order in which they
  appear in /etc/ifaccess.conf,	with packets receiving the action of the
  first	entry that matches.

  At most IFAF_MAXENTRIES access filter	entries	may be assigned	for each net-
  work interface. (See the /usr/sys/include/net/if.h file.)

  A default deny all entry may be configured by	adding an entry	similar	to
  the following	as the last entry for interface	xyz0 in	/etc/ifaccess.conf
  file:

       xyz0 0.0.0.0 0.0.0.0 deny

  Only address family inet is supported.

EXAMPLES

  The following	example	shows the ifaccess.conf	files for two hosts, Host A
  and Host B, on a network; trusted is the trusted network.  Host A connects
  to the trusted network via the fza0 interface	and connects to	an untrusted
  network, insecure1, via the ln0 interface.

  Host A's ifaccess.conf file includes the following entry:

       ln0 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure	network.

  Host B connects to the trusted network via the fza0 interface; connects to
  an untrusted network,	insecure1, via the ln0 interface; and connects to
  another untrusted network, insecure2,	via the	ln1 interface.	Host B's
  ifaccess.conf	file includes the following entries:

       ln0 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure	network.
       ln1 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure	network.

  Note that there is no	entry in the ifaccess.conf file	for the	trusted	net-
  work device, fza0.  Only the untrusted network interfaces are	configured
  with ifaccess.conf.

FILES

  /etc/ifaccess.conf
	     Specifies the path	name for the file.

  /usr/sys/include/net/if.h
	     Network interface structures header file.

  /usr/sys/include/netinet/in_var.h
	     Internet address and version structures header file.

RELATED	INFORMATION

  Commands: netstat(1),	ifconfig(8), syslogd(8), tcpdump(8).