3

Can one use ipopts, and in particular IP source routing, to circumvent source-based blocking in pf or iptables?

For example, with OpenBSD's pf:

block in  all # default deny
block out all
pass in  on dc0 from 10.0.0.0/8 to 10.1.1.1

Can IP source routing of TCP/IP packets over dc0 be used to circumnavigate (so to speak) the firewall rules and communicate with 10.1.1.1 from a network other than 10/8?

Even if possible, is such circumnavigation a viable or plausible attack if dc0 is public-facing? If so, can this be prevented?

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
Brian M. Hunt
  • 537
  • 1
  • 3
  • 16

2 Answers2

2

I don't know specifically whether it can bypass these particular firewalls, but my superficial impression is that most firewalls block source routing, specifically because of these kinds of threats.

D.W.
  • 98,420
  • 30
  • 267
  • 572
2

For incoming packets, packet filtering (call to pf_test on line 367) is done before option processing (call to ip_dooptions on line 384) in ip_input.c

For outgoing packets, routing (starting on line 170) is done before packet filtering (call to pf_test on line 691) in ip_output.c

So, if the packet filtering is working correctly, then no, source routing will not circumvent the firewall, because for incoming packets source routing is not applied until after filtering, and for outgoing packets filtering is done after source routing is applied.

this.josh
  • 8,843
  • 2
  • 29
  • 51