| The applications cannot do this.
The AltaVista Firewall for UNIX product used to patch this functionality into
the UNIX kernel, but as of V4.0 it is included as part of the Digital UNIX
product. Basically if the functionality is turned on with the ifconfig filter
keyword, then the kernel builds tables of permitted and denied source addresses
on a per interface basis from the file /etc/ifaccess.conf. Then as a packet
arrives, the very first thing that is done is a source address check - if it's
wrong, the packet is logged and dropped.
T
|
| In short, IP filtering is not done at the TCP layer but instead
at the IP layer, first thing. After the packet has been checked
for basic validity (header checksum test), the source address is
checked via a filter table for the given interface. In other
words, each interface on the system has a unique filter table.
Using your example above, the interface se0 could be told to
accept packets with a source address of 10.9.8.*, and se1 to
accept packets with 10.9.5.* (assuming an 8-bit mask). In the
specific case of the firewall, the inward-facing interface could
be on network 10.1.1.*, in which case its filter will say to
accept *only* packets with a source address in that range. If,
behind the firewall, there is another network (behind a router
or something), this is added to the ACCEPT list as well. All
other source addresses are deemed invalid. On the outward-facing
side, all packets are accepted EXCEPT those with a source address
in use on the internal network. Hence, it is impossible for an
external host to spoof the firewall into thinking its packets
arrived on the internal interface. If you have any other questions
on this, please send them via email as I don't often get a chance
to read notes. My email address is [email protected].
(I'm using Mark Smiths account at the moment because I'm in his
office).
Dermot Tynan
|