ifaccess.conf man page on Tru64

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
Tru64 logo
[printable version]

ifaccess.conf(4)					      ifaccess.conf(4)

NAME
       ifaccess.conf - Interface access filter configuration file

DESCRIPTION
       The  /etc/ifaccess.conf	file is an optional system file that specifies
       access filter entries for network interfaces.  Interface access filter‐
       ing  provides  a	 mechanism  for	 detecting  and preventing IP spoofing
       attacks. (See CERT Advisory CA-95:01). The source addresses of IP input
       packets	are  checked  against interface access filter entries; packets
       receive the action  associated  with  the  first	 matching  entry.  The
       /etc/ifaccess.conf  file is read by the /usr/sbin/ifconfig command when
       called with the filter option.

       The /etc/ifaccess.conf file is defined as a Context-Dependent  Symbolic
       Link  (CDSL),  and must be maintained as such.  See the System Adminis‐
       tration manual for more information.

       Lines in /etc/ifaccess.conf may be comment lines beginning with a  num‐
       ber  sign (#), blank lines, or access filter entries with the following
       format: interface_id address mask action

       In the preceding format: Specifies the network interface for which this
       entry applies.  Is specified as a host name, network name, or an Inter‐
       net address in the standard dotted-decimal notation.   Specifies	 which
       bits  of	 the  address are significant.	The mask can be specified as a
       single hexadecimal number beginning with 0x, in the  standard  Internet
       dotted-decimal notation, or beginning with a name. The mask contains 1s
       (ones) for the bit positions in address that are	 significant.	Speci‐
       fies  an	 entry	to  match  packets against.  The following actions are
       allowed: permit, deny, or denylog.  Packets matching an	entry  with  a
       permit  action  are  passed to higher levels; packets matching an entry
       with a deny action are dropped; packets matching an entry with a	 deny‐
       log  action  are dropped, with a descriptive message sent to the system
       error logging facility.

       To prevent host spoofing, you must determine  which  networks  are  not
       secure and which interfaces are connected to those networks.  For exam‐
       ple, if a host is connected to a secure, trusted network on one	inter‐
       face and to non-trusted (non-secure) network on a second interface, you
       need to add an entry for	 the  non-trusted  network  interface  in  the
       host's ifaccess.conf file.  Interfaces connected to trusted networks do
       not require an entry in the ifaccess.conf file.

       By default, the ifaccess.conf file contains an entry for	 each  config‐
       ured  adapter  that  disables localhost as a source address.  To enable
       access filtering on an interface, issue the ifconfig command  with  the
       filter  parameter  for the interface. For example, for tu0, the command
       is as follows: # ifconfig tu0 filter

       Use the netstat(1) command to display the current  access  filters  for
       the interface.

NOTES
       Some  machines  send  IP	 broadcast messages to the alternate all-zeros
       address instead of the all-ones address. This generates	the  following
       error:  ipintr:	IP addr 0.0.0.0 on interface: access denied You should
       consider this error equivalent to the following error: ipintr: IP  addr
       255.255.255.255	on interface: access denied Use the tcpdump command to
       capture and examine the IP packets in  order  to	 find  out  about  the
       machine sending them.

RESTRICTIONS
       An  interface  access filter entry mask must have at least as many sig‐
       nificant bits set as the address.

       Interface access filters have an implicit default permit all  entry  at
       the end.

       Interface access filter entries are assigned in the order in which they
       appear in /etc/ifaccess.conf, with packets receiving the action of  the
       first entry that matches.

       At  most IFAF_MAXENTRIES access filter entries may be assigned for each
       network interface. (See the /usr/sys/include/net/if.h file.)

       A default deny all entry may be configured by adding an	entry  similar
       to  the	following  as  the last entry for interface xyz0 in /etc/ifac‐
       cess.conf file: xyz0 0.0.0.0 0.0.0.0 deny

       Only address family inet is supported.

EXAMPLES
       The following example shows the ifaccess.conf files for two hosts, Host
       A  and  Host  B,	 on a network; trusted is the trusted network.	Host A
       connects to the trusted network via the fza0 interface and connects  to
       an untrusted network, insecure1, via the ln0 interface.

       Host  A's  ifaccess.conf file includes the following entry: ln0 trusted
       255.255.255.0 deny	   # deny all packets from hosts that
					       # claim	they  originated  from
       the
					       #  secure network.  Host B con‐
       nects to the trusted network via the fza0  interface;  connects	to  an
       untrusted  network,  insecure1,	via the ln0 interface; and connects to
       another untrusted network, insecure2, via the ln1 interface.  Host  B's
       ifaccess.conf   file   includes	the  following	entries:  ln0  trusted
       255.255.255.0 deny	   # deny all packets from hosts that
					       # claim	they  originated  from
       the
					       #  secure network.  ln1 trusted
       255.255.255.0 deny	   # deny all packets from hosts that
					       # claim	they  originated  from
       the
					       #  secure  network.   Note that
       there is no entry in the ifaccess.conf file  for	 the  trusted  network
       device,	fza0.	Only  the  untrusted network interfaces are configured
       with ifaccess.conf.

FILES
       Specifies the path name for the	file.	Network	 interface  structures
       header file.  Internet address and version structures header file.

RELATED INFORMATION
       Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8).  delim off

							      ifaccess.conf(4)
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server Tru64

List of man pages available for Tru64

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net