Hi how well does "Source Address Verification" work by making the following setting. echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter What does the rp_filter do & how does it work. Can it cause any problems with your IPCHAINS rules? Thanks in advance Steven
Hi how well does "Source Address Verification" work by making the following setting.
echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
What does the rp_filter do & how does it work.
Can it cause any problems with your IPCHAINS rules?
Thanks in advance
Steven
Example: you have eth0 (192.168.0.1) as the internal network interface and
eth1 (4.4.4.4) as the external iface.
rp_filter rejects packets with a source of 192.168.0/24 if they arrive on
eth1.
More generally: It rejects incoming packets if the interface address that
it arrives on does not match the respective routing table entry.
Roman.
--
- -
| Roman Drahtmüller
If you ask me, everyone should have this enabled, indeed I think debian does by default. However there are some cases where you should. These involve having a "multihomed" internet connection, for instance if you have one of those satellite links where your outgoing data goes out a modem/isdn connection and you inbound comes down a sat-link. (almost all sat connections work this way) Cheers Nix At 06:44 PM 15/09/2000, you wrote:
Hi how well does "Source Address Verification" work by making the following setting.
echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
What does the rp_filter do & how does it work.
Can it cause any problems with your IPCHAINS rules?
Thanks in advance
Steven
Example: you have eth0 (192.168.0.1) as the internal network interface and eth1 (4.4.4.4) as the external iface.
rp_filter rejects packets with a source of 192.168.0/24 if they arrive on eth1.
More generally: It rejects incoming packets if the interface address that it arrives on does not match the respective routing table entry.
Roman. -- - - | Roman Drahtmüller
// "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, 15 Sep 2000, Steven Thompson wrote:
Hi how well does "Source Address Verification" work by making the following setting.
echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
What does the rp_filter do & how does it work. Quote from net/ipv4/fib_frontend.c
/* Given (packet source, input interface) and optional (dst, oif, tos): - (main) check, that source is valid i.e. not broadcast or our local address. - figure out what "logical" interface this packet arrived and calculate "specific destination" address. - check, that packet arrived from expected physical interface. */ int fib_validate_source(u32 src, u32 dst, u8 tos, int oif, struct device *dev, u32 *spec_dst, u32 *itag) best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
On Fri, 15 Sep 2000, Rainer Link wrote:
Hi how well does "Source Address Verification" work by making the following setting.
echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
What does the rp_filter do & how does it work. Quote from net/ipv4/fib_frontend.c
/* Given (packet source, input interface) and optional (dst, oif, tos): - (main) check, that source is valid i.e. not broadcast or our local address. - figure out what "logical" interface this packet arrived and calculate "specific destination" address. - check, that packet arrived from expected physical interface. */
int fib_validate_source(u32 src, u32 dst, u8 tos, int oif, struct device *dev, u32 *spec_dst, u32 *itag) Sorry, I forgot to mention Documentation/networking/ip-sysctl.txt. :-)
best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
participants (4)
-
Nix
-
Rainer Link
-
Roman Drahtmueller
-
Steven Thompson