Shorewall users - Jul 2002 - Spoofing security questions

Hello,

Right now, I have a client with a firewall. Most inbound (from net) traffic
is disabled, ie webservers on the dmz are serving local requests only.

But, at my office, the ip of the (masqing) router is allowed access to my
client''s webserver, and other services, most of which the public is not
allowed to.

I have been planning on implementing a tunnel (vtun.sourceforge.net), but
until i have the time, the above is the situation.

I was wondering, if someone was to spoof their source ip (to be my office
router''s ip), would they be able to see all of the services that my
office
router is allowed to see? (The answer here should be yes, unless there are
some protections for spoofing)

So, does shorewall do any anti spoofing type stuff?

Also when compiling my kernel, there is some option for anti spoofing
protection. How might this relate to my question? Or to shorewall?

The underlying question for this post is, what security issues may occur
with this (above) type of setup?

Thanks,
alex

--On Wednesday, July 10, 2002 15:48:27 -0700 Alex Martin 
<alex@cuscominc.com> wrote:
> Hello,
>
> Right now, I have a client with a firewall. Most inbound (from net)
> traffic is disabled, ie webservers on the dmz are serving local requests
> only.
>
> But, at my office, the ip of the (masqing) router is allowed access to my
> client''s webserver, and other services, most of which the public
is not
> allowed to.
>
> I have been planning on implementing a tunnel (vtun.sourceforge.net), but
> until i have the time, the above is the situation.
>
> I was wondering, if someone was to spoof their source ip (to be my office
> router''s ip), would they be able to see all of the services that
my office
> router is allowed to see? (The answer here should be yes, unless there are
> some protections for spoofing)
I want you to read the above description and FROM THAT DESCRIPTION ONLY, I 
want you to try to draw a diagram of the systems involved including which 
systems have Shorewall running on them. You can''t, of course. So for me
to
try to answer any questions based on that description would be foolish.
>
> So, does shorewall do any anti spoofing type stuff?
As entering "spoofing" in the search form on the Shorewall home page
would
have revealed, the "routefilter" option in the
/etc/shorewall/interfaces
file provides an anti-spoofing measure. It directs the kernel to not accept 
incoming packets on that interface if traffic to the source IP would not be 
routed out that same interface. So in particular, it will drop packets 
whose source address is the same as one of the interfaces on the system 
itself (if that''s what you were trying to ask above).
>
> Also when compiling my kernel, there is some option for anti spoofing
> protection. How might this relate to my question? Or to shorewall?
I can''t find any option having to do with spoofing in the
"Networking
Options" part of the kernel config. Can you be more specific?
>
> The underlying question for this post is, what security issues may occur
> with this (above) type of setup?
>
In addition to ''routefilter'', shorewall rules are always
expressed in terms
of both an interface and an IP/subnet address; again, this prevents spoofed 
packets that arrive on an interface that''s improper for the source
address
to be passed through the rules.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net