Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How does antispoof in pfSense work?

    Scheduled Pinned Locked Moved Firewalling
    23 Posts 6 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apollo13 @johnpoz
      last edited by

      @johnpoz said in How does antispoof in pfSense work?:

      in the /tmp/rules.debug

      Yes, it's in /tmp/rules.debug

      My understand when the rules are loaded antispoof will be expanded into 2 rules.

      Yes, they will be expanded (according to the pf docs https://www.openbsd.org/faq/pf/filter.html#antispoof), from:

      antispoof for fxp0 inet
      

      to

      block in on ! fxp0 inet from 10.0.0.0/24 to any
      block in inet from 10.0.0.1 to any
      

      That said, the expanded rules would only be marked quick if antispoof itself was marked as such. Therefor antispoff will match after any user defined rules by default if I understand it correctly.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        you quicker than my edit ;)

        So yeah what is the concern? That they are not marked quick?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 1 Reply Last reply Reply Quote 0
        • A
          apollo13 @johnpoz
          last edited by apollo13

          @johnpoz said in How does antispoof in pfSense work?:

          So yeah what is the concern? That they are not marked quick?

          Yes (especially the security implications of it), because without quick they will not match most of the time if the admin didn't explicitly set a proper source when creating rules on interface tabs.

          Ie if you generate a new rule on the LAN interface tab to allow LAN to access everything it will by default look like this:

          pass  in  quick  on $LAN inet from any to any tracker 0100000101 keep state  label "USER_RULE: Allow lan to access everything"
          

          This will match before the antispoof and as such allow spoofing on the interface again. The only way I can see around is by setting LAN net as a source manually. I thought the whole point of antispoof was to preventing spoofing without providing (by default) another gun (Source = any by default) to shoot yourself in the foot.

          Or do I miss something?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            But what if want to allow multiple downstream networks to be passed.. Which is why I would set specific any as source...

            There valid reasons why source might be any vs just the net of the interface. Those users rules would be set to quick and allow traffic before the antispoof rule would hit.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            A 1 Reply Last reply Reply Quote 0
            • A
              apollo13
              last edited by

              I just found that /etc/inc/filter.inc has this interesting comment around the localhost rules:

                      /*       
                       * NB: The loopback rules are needed here since the antispoof would take precedence then.
                       *      If you ever add the 'quick' keyword to the antispoof rules above move the loopback
                       *      rules before them.
                       */      
              

              So apparently it was considered, leaving the question why it wasn't done in the first place.

              1 Reply Last reply Reply Quote 0
              • A
                apollo13 @johnpoz
                last edited by

                @johnpoz said in How does antispoof in pfSense work?:

                There valid reasons why source might be any vs just the net of the interface. Those users rules would be set to quick and allow traffic before the antispoof rule would hit.

                Absolutely, but wouldn't it at least make some sense to default to something more specific like the "interface net"? Then the user can still choose to set to "Any", but by default would have actual antispoof protection.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  There are a lot of things that might make sense to default to, in multiple places in the gui.. For example /32 as default mask causes uses pain all the time since they don't notice it and set an interface mask with /32 vs what they actually wanted - which is most likely /24 ;)

                  Setting drop down lists default can always run into issues like this... Why do firewall rules default to tcp? Uses mess this one up all the time as well when they want say tcp/udp for dns,

                  It is the admins responsibility to make sure the rules or settings are how they are suppose to be vs what defaults in a dropdown or bank field, etc.

                  As to the specific reason for not quick on antispoof - lets see if @jimp can shed some light?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • A
                    apollo13
                    last edited by

                    Fair enough. So all in all you can confirm that the antispoof rules will not be matched if they are accepted by the interface tab first.

                    Which brings me to part two of the question: What can I set as sensible source for interface groups then? If I set the source to a combination of the involved interfaces it would still be possible to spoof addresses shared between those interfaces…

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      So the way I read the rules...

                      Lets say you have 2 interfaces

                      em0 192.168.1/24
                      em1 192.168.2/24

                      So this block prevents 192.168.1/24 being used on anything other than em0?

                      And prevents source of firewall IP on any interface from being used as source..

                      That is the way I read the rules, this early in the morning with my first cup of coffee only about half gone.. When those might actually come into play would require reading over the full set of rules in specific load order and evaluation order, etc.

                      Why I am hoping maybe jimp can smack some knowledge on us both ;) If not him - maybe he knows who can..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        apollo13 @johnpoz
                        last edited by apollo13

                        @johnpoz said in How does antispoof in pfSense work?:

                        So the way I read the rules...

                        Lets say you have 2 interfaces

                        em0 192.168.1/24
                        em1 192.168.2/24

                        So this block prevents 192.168.1/24 being used on anything other than em0?

                        Yes this is correct, and the same for 192.168.2/24 with anything other than em1.

                        And prevents source of firewall IP on any interface from being used as source..

                        Correct.

                        Now imagine you were to create an interface group consisting of em0 & em1. Note that interface groups are just some logical grouping, no new antispoof rules get added for this (which makes sense). Lets name the interface group TEST for fun and create a rule on it allowing everyone to access some server:

                        pass return  in  quick  on $TEST inet proto { tcp  }  from any to $SOME_HOST
                        

                        Now everyone on em0 & em1 can access SOME_HOST. So far so good, but the result of that rule is also than anyone on em0 can use a spoofed IP from em1 to access that host (actually any address), which is what I am trying to prevent.

                        Yes, the knowledge of jimp would most certainly be appreciated.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Lets page @stephenw10 he might also be able to smack down some info ;)

                          I show him online - as well, let me see if he will join in on the discussion

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            The defaults can't stop you from hurting yourself. No matter how they are set, there will be some way to misuse them or break things. The burden is on the user to choose appropriate options.

                            /24 is a worse default for interfaces than /32. With /32, everyone has to change the mask and it's safely broken (not going to hurt any other networks), whereas /24 could harm any number of misconfigured WANs.

                            any as a default source is the most eye-catching default. Anyone who sees that should want to fix it. If we defaulted to something else, it could break in other ways. Not every interface has an address, thus doesn't have an interface network, so using that would not work on such interfaces.

                            Sure there is a lot of subjectivity here but ultimately the burden is on the end user to know what they are doing.

                            @apollo13 said in How does antispoof in pfSense work?:

                            Now everyone on em0 & em1 can access SOME_HOST. So far so good, but the result of that rule is also than anyone on em0 can use a spoofed IP from em1 to access that host (actually any address), which is what I am trying to prevent.

                            That example isn't valid, though. If the user spoofed the address in that scenario, it would either never leave the network or never get a reply. They couldn't access anything. At most they'd get a single packet to the destination, so it's more of a concern for attacks that may only have a single packet payload or need no response.

                            By not using quick we give the user the option to override the antispoof behavior. If we changed them to quick then odds are we'd break thousands of networks out there that rely on being able to manually manage that behavior.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            johnpozJ A 2 Replies Last reply Reply Quote 2
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @jimp
                              last edited by johnpoz

                              @jimp said in How does antispoof in pfSense work?:

                              Sure there is a lot of subjectivity here but ultimately the burden is on the end user to know what they are doing.

                              Completely and wholeheartedly agree with this! ;)

                              @jimp so could you give an example of when the antispoof actually comes into play for sake of completeness.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • A
                                apollo13 @jimp
                                last edited by

                                Ok, thank you for clearing up the rationale behind those defaults. I do agree with most of them. I guess what threw me off was that https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html#longer-version has "Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)" before "User-defined rules" and I assume antispoof was such an internal automatic rule.

                                @jimp said in How does antispoof in pfSense work?:

                                @apollo13 said in How does antispoof in pfSense work?:

                                Now everyone on em0 & em1 can access SOME_HOST. So far so good, but the result of that rule is also than anyone on em0 can use a spoofed IP from em1 to access that host (actually any address), which is what I am trying to prevent.

                                That example isn't valid, though. If the user spoofed the address in that scenario, it would either never leave the network or never get a reply. They couldn't access anything. At most they'd get a single packet to the destination, so it's more of a concern for attacks that may only have a single packet payload or need no response.

                                Okay, this is where my network knowledge appears to be lacking. In which cases wouldn't it leave the network? Is it because the return-path would make no sense for pfSense or something else?

                                And couldn't it be used for instance to send a DNS response to the spoofed address? Or with any other UDP protocol to generate amplification.

                                I understand that the last questions are most likely not realistic attack scenarios after all, but the answer to those would help me widen my understanding of how all of this works. So while the question might be naive, I'd appreciate if you find the time to give me a few more pointers.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  If a client connected to em0 manually sets an IP from em1 and you have rules to pass that that bypass the antispoof rules as discussed they should not have any connectivity.
                                  What do they set as their gateway IP? If they set the em0 IP that's outside their subnet (probably). If they set the em1 IP they would ARP for it and it would not reply as it's in a different subnet.
                                  But even if it did and they managed to send traffic any replies would be sent back out of em1. If in fact it left at all since the client would not respond to ARPs from em1 as it's not connected there.

                                  Interesting question though. I normally try to avoid that sort of thing! 😉 I don't think I've ever tested how it fails exactly.

                                  Steve

                                  A 1 Reply Last reply Reply Quote 0
                                  • A
                                    apollo13 @stephenw10
                                    last edited by

                                    @stephenw10 said in How does antispoof in pfSense work?:

                                    If a client connected to em0 manually sets an IP from em1 and you have rules to pass that that bypass the antispoof rules as discussed they should not have any connectivity.

                                    Sure, there would be no (full) connectivity. But I am more thinking about malicious users here, not legitimate users.

                                    But even if it did and they managed to send traffic any replies would be sent back out of em1. If in fact it left at all since the client would not respond to ARPs from em1 as it's not connected there.

                                    Right, but an answer sent back to em1 could be considered kind of an attack (DNS amplification attacks etc come to mind?)

                                    Interesting question though. I normally try to avoid that sort of thing! 😉

                                    Hehe, me to. I was tightening firewall rules and looked at the generated rules.debug and started wondering…

                                    Thank you all for your insights, it was fun to dig through the rules and I guess I learned something on the way.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      I would still like to see a when would this really "make sense" and do what it suppose to do, etc. as an example.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        apollo13
                                        last edited by

                                        Well, I cannot see any legitimate or useful use case myself aside from launching attacks against the network :)

                                        P 1 Reply Last reply Reply Quote 0
                                        • P phil80 referenced this topic on
                                        • P
                                          phil80 @apollo13
                                          last edited by

                                          This thread was really helpful and the flexibility that pfsense gives here is amazing

                                          However, it should have been better documented in the docs, in anti spoofing section

                                          Is it worth a commit to propose a change in the docs?

                                          Here's a somehow atypical use of this specificity in the anti spoofing rule:
                                          https://forum.netgate.com/topic/163088/l3-switch-and-pfsense-design-advise/16?_=1641114477363

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            mer
                                            last edited by

                                            @apollo13 said in How does antispoof in pfSense work?:

                                            Therefor antispoff will match after any user defined rules by default if I understand it correctly.

                                            Doesn't it depend on where the antispoof rules are in the ruleset? I'm looking at the expanded rules and it looks like the expanded antispoof rules are above my userrules anchor. Since they don't have a quick on the antispoof, but are physically above userrules, shouldn't it get evaluated first but not acted on unless there is no other rule matching the packet? The "last match wins" behavior?

                                            Everything else said in this thread is the behavior I've seen; it's just that specific statement I think is not quite correct.
                                            If I'm wrong, please correct me.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.