Index Index for
Section 4
Index Alphabetical
listing for I
Bottom of page Bottom of
page		 

ifaccess.conf(4)


NAME

  ifaccess.conf - Interface access filter configuration file


DESCRIPTION

  The /etc/ifaccess.conf file is an optional system file that specifies
  access filter entries for network interfaces.	 Interface access filtering
  provides a mechanism for detecting and preventing IP spoofing attacks. (See
  CERT Advisory CA-95:01). The source addresses of IP input packets are
  checked against interface access filter entries; packets receive the action
  associated with the first matching entry. The /etc/ifaccess.conf file is
  read by the /usr/sbin/ifconfig command when called with the filter option.

  The /etc/ifaccess.conf file is defined as a Context-Dependent Symbolic Link
  (CDSL), and must be maintained as such.  See the System Administration
  manual for more information.

  Lines in /etc/ifaccess.conf may be comment lines beginning with a number
  sign (#), blank lines, or access filter entries with the following format:

       interface_id address mask action

  In the preceding format:

  interface_id
      Specifies the network interface for which this entry applies.

  address
      Is specified as a host name, network name, or an Internet address in
      the standard dotted-decimal notation.

  mask
      Specifies which bits of the address are significant.  The mask can be
      specified as a single hexadecimal number beginning with 0x, in the
      standard Internet dotted-decimal notation, or beginning with a name.
      The mask contains 1s (ones) for the bit positions in address that are
      significant.

  action
      Specifies an entry to match packets against.  The following actions are
      allowed: permit, deny, or denylog.  Packets matching an entry with a
      permit action are passed to higher levels; packets matching an entry
      with a deny action are dropped; packets matching an entry with a
      denylog action are dropped, with a descriptive message sent to the
      system error logging facility.

  To prevent host spoofing, you must determine which networks are not secure
  and which interfaces are connected to those networks.	 For example, if a
  host is connected to a secure, trusted network on one interface and to
  non-trusted (non-secure) network on a second interface, you need to add an
  entry for the non-trusted network interface in the host's ifaccess.conf
  file.	 Interfaces connected to trusted networks do not require an entry in
  the ifaccess.conf file.

  By default, the ifaccess.conf file contains an entry for each configured
  adapter that disables localhost as a source address.	To enable access
  filtering on an interface, issue the ifconfig command with the filter
  parameter for the interface. For example, for tu0, the command is as
  follows:

       # ifconfig tu0 filter

  Use the netstat(1) command to display the current access filters for the
  interface.


NOTES

  Some machines send IP broadcast messages to the alternate all-zeros address
  instead of the all-ones address. This generates the following error:

       ipintr: IP addr 0.0.0.0 on interface: access denied

  You should consider this error equivalent to the following error:

       ipintr: IP addr 255.255.255.255 on interface: access denied

  Use the tcpdump command to capture and examine the IP packets in order to
  find out about the machine sending them.


RESTRICTIONS

  An interface access filter entry mask must have at least as many
  significant bits set as the address.

  Interface access filters have an implicit default permit all entry at the
  end.

  Interface access filter entries are assigned in the order in which they
  appear in /etc/ifaccess.conf, with packets receiving the action of the
  first entry that matches.

  At most IFAF_MAXENTRIES access filter entries may be assigned for each
  network interface. (See the /usr/sys/include/net/if.h file.)

  A default deny all entry may be configured by adding an entry similar to
  the following as the last entry for interface xyz0 in /etc/ifaccess.conf
  file:

       xyz0 0.0.0.0 0.0.0.0 deny

  Only address family inet is supported.


EXAMPLES

  The following example shows the ifaccess.conf files for two hosts, Host A
  and Host B, on a network; trusted is the trusted network.  Host A connects
  to the trusted network via the fza0 interface and connects to an untrusted
  network, insecure1, via the ln0 interface.

  Host A's ifaccess.conf file includes the following entry:

       ln0 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure network.

  Host B connects to the trusted network via the fza0 interface; connects to
  an untrusted network, insecure1, via the ln0 interface; and connects to
  another untrusted network, insecure2, via the ln1 interface.	Host B's
  ifaccess.conf file includes the following entries:

       ln0 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure network.
       ln1 trusted 255.255.255.0 deny	       # deny all packets from hosts that
					       # claim they originated from the
					       # secure network.

  Note that there is no entry in the ifaccess.conf file for the trusted
  network device, fza0.	 Only the untrusted network interfaces are configured
  with ifaccess.conf.


FILES

  /etc/ifaccess.conf
	     Specifies the path name for the file.

  /usr/sys/include/net/if.h
	     Network interface structures header file.

  /usr/sys/include/netinet/in_var.h
	     Internet address and version structures header file.


RELATED INFORMATION

  Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8).

Index Index for
Section 4
Index Alphabetical
listing for I
Top of page Top of
page