Firewalls and J-Lan Communicator -------------------------------- That's a little document about firewall problems with jlanc and antispoof. * Introduction * Address spoofing is when a malicious user changes the source address in packets to hide their address or just impersonate another host in the network. Almost all modern operative systems that come with firewalling capabilities have ways to avoid those problems. In this document I want to review an antispoofing example and the problem you can find with it and with broadcast packets used by jlanc. * Example case: OpenBSD's PF * Let's use OpenBSD's Packet Filter as example. Its syntax is simple and easy to understand. We want firewall the wlan interface wi0 with IP 10.1.1.1 and netmask 255.255.255.0. PF's syntax for antispoofing is: antispoof quick for wi0 inet So PF translates that to: block drop in quick on ! wi0 inet from 10.1.1.0/24 to any block drop in quick inet from 10.1.1.1 to any That means you cannot receive packets from network 10.1.1.0/255.255.255.0 (net/mask) if it doesn't come from wi0 (rule 1). Moreover you cannot receive packets from 10.1.1.1 (yourself) via wi0 (rule 2). The problem is obviously in rule 2: you MUST receive packets from yourself. When jlanc sends broadcast packets to 10.1.1.255 you *receive* those packets because a broadcast is received for all the hosts in the LAN, so PF is blocking jlanc. The workarround is to pass all the packets needed for jlanc: pass in quick on wi0 proto udp from 10.1.1.0/24 to 10.1.1.255 port 4110 That line must be before the antispoof one, so you allow to 10.1.1.0/255.255.255.0 (net/mask) to broadcast packets to port 4110, and hence receive from all the peer and send to all the peers. * Conclusions * As you can see the workarround is pretty easy without remove the antispoof protection. Indeed I've noticed that problem only in OpenBSD (GNU/Linux iptables didn't make trouble), I hope you can fix your firewall with this little document. Juan J. Martínez ** EOF **