*** UNIX MANUAL PAGE BROWSER ***

ifaccess.conf(4) Kernel Interfaces Manual ifaccess.conf(4) NAME ifaccess.conf - Interface access filter configuration file DESCRIPTION The /etc/ifaccess.conf file is an optional system file that specifies access filter entries for network interfaces. Interface access filter- ing provides a mechanism for detecting and preventing IP spoofing at- tacks. (See CERT Advisory CA-95:01). The source addresses of IP input packets are checked against interface access filter entries; packets receive the action associated with the first matching entry. The /etc/ifaccess.conf file is read by the /usr/sbin/ifconfig command when called with the filter option. Lines in /etc/ifaccess.conf may be comment lines beginning with a num- ber sign (#), blank lines, or access filter entries with the following format: interface_id address mask action In the preceding format: Specifies the network interface for which this entry applies. Is specified as a hostname, network name, or an Inter- net address in the standard dotted-decimal notation. Specifies which bits of the address are significant. The mask can be specified as a single hexadecimal number beginning with 0x, in the standard Internet dotted-decimal notation, or beginning with a name. The mask contains 1s (ones) for the bit positions in address that are significant. Speci- fies an entry to match packets against. The following actions are al- lowed: permit, deny, or denylog. Packets matching an entry with a per- mit action are passed to higher levels; packets matching an entry with a deny action are dropped; packets matching an entry with a denylog ac- tion are dropped, with a descriptive message sent to the system error logging facility. To prevent host spoofing, you must determine which networks are not se- cure and which interfaces are connected to those networks. For exam- ple, if a host is connected to a secure, trusted network on one inter- face and to non-trusted (non-secure) network on a second interface, you need to add an entry for the non-trusted network interface in the host's ifaccess.conf file. Interfaces connected to trusted networks do not require an entry in the ifaccess.conf file. RESTRICTIONS An interface access filter entry mask must have at least as many sig- nificant bits set as the address. Interface access filters have an implicit default permit all entry at the end. Interface access filter entries are assigned in the order in which they appear in /etc/ifaccess.conf, with packets receiving the action of the first entry that matches. At most IFAF_MAXENTRIES access filter entries may be assigned for each network interface. (See the /usr/sys/include/net/if.h file.) A default deny all entry may be configured by adding an entry similar to the following as the last entry for interface xyz0 in /etc/ifac- cess.conf file: xyz0 0.0.0.0 0.0.0.0 deny Only address family inet is supported. EXAMPLES The following example shows the ifaccess.conf files for two hosts, Host A and Host B, on a network; trusted is the trusted network. Host A connects to the trusted network via the fza0 interface and connects to an untrusted network, insecure1, via the ln0 interface. Host A's ifaccess.conf file includes the following entry: ln0 trusted 255.255.255.0 deny # deny all packets from hosts that # claim they originated from the # secure network. Host B con- nects to the trusted network via the fza0 interface; connects to an un- trusted network, insecure1, via the ln0 interface; and connects to an- other untrusted network, insecure2, via the ln1 interface. Host B's ifaccess.conf file includes the following entries: ln0 trusted 255.255.255.0 deny # deny all packets from hosts that # claim they originated from the # secure network. ln1 trusted 255.255.255.0 deny # deny all packets from hosts that # claim they originated from the # secure network. Note that there is no entry in the ifaccess.conf file for the trusted network de- vice, fza0. Only the untrusted network interfaces are configured with ifaccess.conf. FILES Specifies the path name for the file. Network interface structures header file. Internet address and version structures header file. RELATED INFORMATION Commands: ifconfig(8), syslogd(8). delim off ifaccess.conf(4)