Filtering 'unconventional' IPs
-
New to this level of pfSense but I was reading a story called:
https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.htmlBasically the criminals are using unconventional IP formats (the caret thing is a new one for me) to get around filters. Do we need to do anything with our rules to stop this?
-
@linuxha ip addresses as hex and octal have always been a thing.
Nothing to worry about firewall wise.
andyk@mac-pro ~ % ping 0xac10020a
PING 0xac10020a (172.16.2.10): 56 data bytes
64 bytes from 172.16.2.10: icmp_seq=0 ttl=64 time=5.888 ms
64 bytes from 172.16.2.10: icmp_seq=1 ttl=64 time=2.099 ms
64 bytes from 172.16.2.10: icmp_seq=2 ttl=64 time=2.524 ms
^C
--- 0xac10020a ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.099/3.504/5.888/1.695 ms
andyk@mac-pro ~ %Its still partly in some operating systems.
andyk@mac-pro ~ % ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
ether 00:3e:e1:c1:af:07
inet6 fe80::1035:7c19:92f3:40e4%en0 prefixlen 64 secured scopeid 0x4
inet 172.16.2.20 netmask 0xffffff00 broadcast 172.16.2.255
inet6 xxxx:xxxx:xxxx:xxxx::14 prefixlen 64 dynamic
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
status: active
andyk@mac-pro ~ %Peiople just need to be aware of the other formats an IP address can take.
-
@linuxha said in Filtering 'unconventional' IPs:
to get around filters.
that doesn't really get around firewall rule that is IP based, its still an IP no matter how its presented to the application or OS, when it goes over the network it would be in the typical 1.2.3.4 etc..
That might confuse a user in seeing what the IP is, or from some software that limits based on some sort of rule that would trigger off your typical url sort of thing.. Obscuring or trying to obscure a url or uri from user knowing what it really is nothing new ;)
-
@johnpoz , correct IP based is not a problem. But URL based might break. I'm not sure if there is a URL based filter on the base pfSense (still learning).
-
@linuxha said in Filtering 'unconventional' IPs:
I'm not sure if there is a URL based filter on the base pfSense (still learning).
There is no url filtering, unless you have setup a proxy it wouldn't come into play
-
@johnpoz Thansk, no proxy yet. :-) Eventually I'll get there.
-
@linuxha said in Filtering 'unconventional' IPs:
Eventually I'll get there.
I wouldn't be in any rush - there is little use for it in how modern web works, etc. ;) Unless you have some teenage boys or something your trying to filter with a proxy from p0rn ;)
-
@johnpoz hehe, only my friends and my home systems (Home Automation). My friends know better than go looking for Pron on my systems, they've been redirected to some of the more 'interesting' sites. ;-) They still can't unsee that.