On Mon, Dec 09, 2019 at 10:58:32AM +0500, Alexander E. Patrakov wrote: > 08.12.2019 16:42, Alexandr Nedvedicky wrote: > > Hello, > > > > commit from today [1] makes IP stack more paranoid. Up to now OpenBSD > > implemented so called 'weak host model' [2]. The today's commit alters > > that for hosts, which don't forward packets (don't act as routers). > > > > Your laptops, desktops and servers now check packet destination address > > with IP address bound to interface, where such packet is received on. > > If there will be mismatch the packet will be discarded and 'wrongif' > > counter will be bumped. You can use 'netstat -s|grep wrongif' to > > display the counter value. > > > > It is understood the behavior, which has been settled in IP stack since > > 80's, > > got changed. tech@openbsd.org (or b...@openbsd.org) wants to hear back from > > you, > > if this change breaks your existing set up. There is a common believe this > > change won't hurt majority (> 97%) users, though there is some non-zero > > risk, > > hence this announcement is being sent. > > Thanks for the announcement, it indeed looks like a useful hardening. > However, I am worried about one particular class of systems that forward > packets. Namely, systems that run virtual machines. This fix does not apply > to them, although in most cases it should. If forwarding is turned on then the system will behave like now. In general in such cases you should configure the firewall according to your needs. The system does not have enough information to understand which interfaces / IP are fine to route between and which ones are not.
> There might be also other classes of routers which don't do anything > asymmetric and therefore would also want protection from packets received on > the wrong interface. This has nothing todo with symmetric or asymmetric routing. It has to do with the fact that you are forwarding packets between interfaces and so reaching the other interface of a box is like talking to host that is connected to that interface. Again on systems with forwarding enabled you need to configure the firewall to prevent traffic to cross a boundary. > So maybe a separate announcement should be sent, with recommendations how to > protect such systems. There is no simple recommendation for systems forwarding traffic. There are too many scenarios to cover. You have to configure pf(4) based on your network topology. pf(4) has a few ways to help you to do this: # for example use "on" to allow traffic on specific interfaces block in all pass in on external to $external_ip pass in on internal to $internal_ip # for example use received-on on out rules to know if something is # forwarded pass out on external received-on internal # block all forwarded traffic into internal network block out on internal received-on any People need to be careful about passing traffic in to local ips, in general such rules should always specify an interface: # bad, since this permits traffic from every interface pass in proto tcp to $internal_ip port 8080 Additionally there is antispoof and uRPF check to make some attacks harder or impossible. Again depending on your setup they may be an option or not. -- :wq Claudio
