ifaccess.conf(4)ifaccess.conf(4)NAMEifaccess.conf - Interface access filter configuration file
DESCRIPTION
The /etc/ifaccess.conf file is an optional system file that specifies
access filter entries for network interfaces. Interface access filter‐
ing provides a mechanism for detecting and preventing IP spoofing
attacks. (See CERT Advisory CA-95:01). The source addresses of IP input
packets are checked against interface access filter entries; packets
receive the action associated with the first matching entry. The
/etc/ifaccess.conf file is read by the /usr/sbin/ifconfig command when
called with the filter option.
The /etc/ifaccess.conf file is defined as a Context-Dependent Symbolic
Link (CDSL), and must be maintained as such. See the System Adminis‐
tration manual for more information.
Lines in /etc/ifaccess.conf may be comment lines beginning with a num‐
ber sign (#), blank lines, or access filter entries with the following
format: interface_id address mask action
In the preceding format: Specifies the network interface for which this
entry applies. Is specified as a host name, network name, or an Inter‐
net address in the standard dotted-decimal notation. Specifies which
bits of the address are significant. The mask can be specified as a
single hexadecimal number beginning with 0x, in the standard Internet
dotted-decimal notation, or beginning with a name. The mask contains 1s
(ones) for the bit positions in address that are significant. Speci‐
fies an entry to match packets against. The following actions are
allowed: permit, deny, or denylog. Packets matching an entry with a
permit action are passed to higher levels; packets matching an entry
with a deny action are dropped; packets matching an entry with a deny‐
log action are dropped, with a descriptive message sent to the system
error logging facility.
To prevent host spoofing, you must determine which networks are not
secure and which interfaces are connected to those networks. For exam‐
ple, if a host is connected to a secure, trusted network on one inter‐
face and to non-trusted (non-secure) network on a second interface, you
need to add an entry for the non-trusted network interface in the
host's ifaccess.conf file. Interfaces connected to trusted networks do
not require an entry in the ifaccess.conf file.
By default, the ifaccess.conf file contains an entry for each config‐
ured adapter that disables localhost as a source address. To enable
access filtering on an interface, issue the ifconfig command with the
filter parameter for the interface. For example, for tu0, the command
is as follows: # ifconfig tu0 filter
Use the netstat(1) command to display the current access filters for
the interface.
NOTES
Some machines send IP broadcast messages to the alternate all-zeros
address instead of the all-ones address. This generates the following
error: ipintr: IP addr 0.0.0.0 on interface: access denied You should
consider this error equivalent to the following error: ipintr: IP addr
255.255.255.255 on interface: access denied Use the tcpdump command to
capture and examine the IP packets in order to find out about the
machine sending them.
RESTRICTIONS
An interface access filter entry mask must have at least as many sig‐
nificant bits set as the address.
Interface access filters have an implicit default permit all entry at
the end.
Interface access filter entries are assigned in the order in which they
appear in /etc/ifaccess.conf, with packets receiving the action of the
first entry that matches.
At most IFAF_MAXENTRIES access filter entries may be assigned for each
network interface. (See the /usr/sys/include/net/if.h file.)
A default deny all entry may be configured by adding an entry similar
to the following as the last entry for interface xyz0 in /etc/ifac‐
cess.conf file: xyz0 0.0.0.0 0.0.0.0 deny
Only address family inet is supported.
EXAMPLES
The following example shows the ifaccess.conf files for two hosts, Host
A and Host B, on a network; trusted is the trusted network. Host A
connects to the trusted network via the fza0 interface and connects to
an untrusted network, insecure1, via the ln0 interface.
Host A's ifaccess.conf file includes the following entry: ln0 trusted
255.255.255.0 deny # deny all packets from hosts that
# claim they originated from
the
# secure network. Host B con‐
nects to the trusted network via the fza0 interface; connects to an
untrusted network, insecure1, via the ln0 interface; and connects to
another untrusted network, insecure2, via the ln1 interface. Host B's
ifaccess.conf file includes the following entries: ln0 trusted
255.255.255.0 deny # deny all packets from hosts that
# claim they originated from
the
# secure network. ln1 trusted
255.255.255.0 deny # deny all packets from hosts that
# claim they originated from
the
# secure network. Note that
there is no entry in the ifaccess.conf file for the trusted network
device, fza0. Only the untrusted network interfaces are configured
with ifaccess.conf.
FILES
Specifies the path name for the file. Network interface structures
header file. Internet address and version structures header file.
RELATED INFORMATION
Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8). delim off
ifaccess.conf(4)