Countering Spoofing Attempts

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.



Spoofing is the practice of sending packets with a forged source address in an attempt to circumvent security measures. Shorewall supports a variety of measures to counter spoofing attacks.

The routefilter Interface Option

This shorewall-interfaces (5) option was the first measure implemented and uses /proc/sys/net/ipv4/conf/*/rp_filter. Many distributions set this option by default for all ip interfaces. The option works by determining the reverse path (the route from the packets destination to its source); it that route does not go out through the interface that received the packet, then the packet is declared to be a martian and is dropped. A kernel log message is generated if the interface's logmartians option is set (/proc/sys/net/ipv4/conf/*/log_martians).

While this option is simple to configure, it has a couple of disadvantages:

  • It is not supported by IPv6.

  • It does not use packet marks so it doesn't work with some Multi-ISP configurations.

  • The log messages produces are obscure and confusing.

Hairpin Filtering

Spoofing can be used to exploit Netfilter's connection tracking to open arbitrary firewall ports. Attacks of this type establish a connection to a server that uses separate control and data connections such as an FTP server. It then sends a packet addressed to itself and from the server. Such packets are sent back out the same interface that received them (hairpin). In cases where the routerfilter option can't be used, Shorewall 4.4.20 and later will set up hairpinning traps (see the SFILTER_DISPOSITION and SFILTER_LOG_LEVEL options in shorewall.conf (5)).

This automatic hairpin trapping is disabled on interfaces with the routeback option.

The rpfilter Interface Option

A new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4. This match performs reverse path evaluation similar to routefilter but without the disadvantages:

  • It is supported by both IPv4 and IPv6.

  • It uses packet marks so it works with all Multi-ISP configurations.

  • It produces standard Shorewall/Netfilter log messages controlled by the RPFILTER_LOG_LEVEL option in shorewall.conf (5)).

  • Both the disposition and auditing can be controlled using the RPFILTER_DISPOSITION option in shorewall.conf (5)).


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page