IP Spoof Protection

Steven Thompson

15 Sep 2000 15 Sep '00

12:21

Hi how well does "Source Address Verification" work by making the following setting. echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter What does the rp_filter do & how does it work. Can it cause any problems with your IPCHAINS rules? Thanks in advance Steven

Show replies by date

Roman Drahtmueller

15 Sep 15 Sep

12:44

New subject: [suse-security] IP Spoof Protection

...

Hi how well does "Source Address Verification" work by making the following setting.

echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter

What does the rp_filter do & how does it work.

Can it cause any problems with your IPCHAINS rules?

Thanks in advance

Steven

Example: you have eth0 (192.168.0.1) as the internal network interface and eth1 (4.4.4.4) as the external iface. rp_filter rejects packets with a source of 192.168.0/24 if they arrive on eth1. More generally: It rejects incoming packets if the interface address that it arrives on does not match the respective routing table entry. Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Nix

30 Sep 30 Sep

01:38

New subject: [suse-security] IP Spoof Protection

If you ask me, everyone should have this enabled, indeed I think debian does by default. However there are some cases where you should. These involve having a "multihomed" internet connection, for instance if you have one of those satellite links where your outgoing data goes out a modem/isdn connection and you inbound comes down a sat-link. (almost all sat connections work this way) Cheers Nix At 06:44 PM 15/09/2000, you wrote:

...

...
Hi how well does "Source Address Verification" work by making the following setting.

echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter

What does the rp_filter do & how does it work.

Can it cause any problems with your IPCHAINS rules?

Thanks in advance

Steven

Example: you have eth0 (192.168.0.1) as the internal network interface and eth1 (4.4.4.4) as the external iface.

rp_filter rejects packets with a source of 192.168.0/24 if they arrive on eth1.

More generally: It rejects incoming packets if the interface address that it arrives on does not match the respective routing table entry.

Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Rainer Link

15 Sep 15 Sep

12:50

New subject: [suse-security] IP Spoof Protection

On Fri, 15 Sep 2000, Steven Thompson wrote:

...

Hi how well does "Source Address Verification" work by making the following setting.

echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter

What does the rp_filter do & how does it work. Quote from net/ipv4/fib_frontend.c

/* Given (packet source, input interface) and optional (dst, oif, tos): - (main) check, that source is valid i.e. not broadcast or our local address. - figure out what "logical" interface this packet arrived and calculate "specific destination" address. - check, that packet arrived from expected physical interface. */ int fib_validate_source(u32 src, u32 dst, u8 tos, int oif, struct device *dev, u32 *spec_dst, u32 *itag) best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/

Rainer Link

12:55

New subject: [suse-security] IP Spoof Protection

On Fri, 15 Sep 2000, Rainer Link wrote:

...

...
Hi how well does "Source Address Verification" work by making the following setting.

echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter

What does the rp_filter do & how does it work. Quote from net/ipv4/fib_frontend.c

/* Given (packet source, input interface) and optional (dst, oif, tos): - (main) check, that source is valid i.e. not broadcast or our local address. - figure out what "logical" interface this packet arrived and calculate "specific destination" address. - check, that packet arrived from expected physical interface. */

int fib_validate_source(u32 src, u32 dst, u8 tos, int oif, struct device *dev, u32 *spec_dst, u32 *itag) Sorry, I forgot to mention Documentation/networking/ip-sysctl.txt. :-)

best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/

8609

Age (days ago)

8624

Last active (days ago)

List overview

Download

4 comments

4 participants

participants (4)

Nix
Rainer Link
Roman Drahtmueller
Steven Thompson