> -----Original Message----- > From: Piotr Holubniak [mailto:piotr.holubniak@xxxxxxxxxxxx] > Sent: Thursday, September 29, 2005 2:15 PM > To: Derick Anderson > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: iptables spof address problem > > Derick Anderson napisał(a): > > > > > > > > > > >>-----Original Message----- > >>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > >>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Piotr > >>Holubniak > >>Sent: Thursday, September 29, 2005 1:22 AM > >>To: netfilter@xxxxxxxxxxxxxxxxxxx > >>Subject: Re: iptables spof address problem > >> > >> > > > >[snip] > > > > > > > >>This is not a question of routing Layer 2. All computers are in one > >>local network in the same subnet, so there is no need to > route pakets. > >>This seems to me that even if data arrives to NIC of Linux computer > >>with netfilter, from computer with MAC address, this MAC address is > >>unseen to netfilter, because before it is passed to > netfilter, TCP/IP > >>stack tries to resolve MAC sending ARP lookup. Sa finally netfilter > >>gets wrong MAC. > >>Not sender but ARP lookup. > >> > >>Tell me if I am wrong. > >> > >>Regards > >> > >>PiotrH > >> > >> > > > > > > > Netfilter is designed to improve security of network or > computer system. > > I well designed network, such mechanism like "security port" > in switch, doesn't allow you to spoof MAC address. Simply > because it limits number of MAC addresses which can leave > port to only one, and this one is registered and cannot be > changed without supervisors pertmition. > > In described by me scenario, attacker doesn't need to spoof > MAC address to be unvisible, it is enaught to spoof IP. So > funcjonality of "security port" is very limited. I belive > that netfilter should allways display real MAC address. I > don't know how to changet it. > > Regards > > PiotrH > >From the hping man page: -a --spoof hostname Use this option in order to set a fake IP source address, this option ensures that target will not gain your real address. However replies will be sent to spoofed address, so you will can't see them. In order to see how it's possible to perform spoofed/idle scanning see the HPING2-HOWTO. I reiterate: a properly spoofed packet is completely identical to a genuine one. It is not Netfilter's or the kernel stack's fault, it is a simple fact of life that bits are bits. With an intelligent switch this kind of attack can be stopped provided the switch is set to use a 1-to-1 ratio of ports to MACs and to drop invalid packets. However, it is not possible prevent this attack when nothing separates the two boxes but twisted pair. Derick Anderson
