Bennett Todd wrote: > > 2000-02-14-13:44:09 Julien Nadeau: > > A solution would be for kernels to provide an option to keep a > > local IP lookup table which could be simply based on network > > interfaces; of course, given an stable implementation, this option > > enabled by default would take care of spoofing problems for admins > > who don't think much about what they're sending out -- i mean, > > they're big part of the problem. > > Linux already has such an option; just go > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > > and the routing logic will drop packets with forged source addrs. > It's not on by default. Yet. I must be missing something but isn't rp_filter ineffective? I have it turned on all my local machines, including the router; i was able to forge packets with any source/destination address and it routes like a charm. Host A runs 2.2.14 with rp_filter enabled on all interfaces; it uses a very restrictive firewall which i turned off ingress filtering as a test. Host B uses a somewhat tricky firewall; UDP is only allowed on port 53 to particular hosts. Host B is also behind a Cisco and traffic goes through 3 firewalls, the upstream isp's one, our OpenBSD router and host B's Linux 2.2.14 firewall. As a test i forged a udp packet (source: 66.66.66.66:53, dest: (`host B'):53), host B's sniffer logged the packet well. I've browsed through 2.2.14 sources for rp_filter; net/ipv4/fib_frontend.c's fib_validate_source() takes care of rp_filter (from linux/inetdevice.h) #define IN_DEV_RPFILTER(in_dev) (ipv4_devconf.rp_filter && (in_dev)->cnf.rp_filter) (fib_frontend.c) if (IN_DEV_RPFILTER(in_dev)) return -EINVAL; Feels like i'm missing something, but aren't ipv4_devconf.rp_filter and (in_dev)->cnf.rp_filter both 1 if rp_filter is enabled on the concerned interface and `globally', what does this have to do with source address checking? I've also checked with other admins and they confirmed rp_filter wasn't doing anything. -- Julien Nadeau @csoft.net CubeSoft Communications
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:57 PDT