> > Linux already has such an option; just go
> >
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 1 > $f
> > done
> >
> > and the routing logic will drop packets with forged source addrs.
> > It's not on by default. Yet.
Julien Nadeau writes:
> I must be missing something but isn't rp_filter ineffective?
> I have it turned on all my local machines, including the router;
> i was able to forge packets with any source/destination address
> and it routes like a charm.
You may need to dig a little deeper into the documentation. From the linux
2.2.14 kernel sources, .../Documentation/networking/ip-sysctl.txt:
----------------8<----------------8<----------------8<----------------
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
NOTE: do not disable this option! All BSD derived routing software
(sort of gated, routed etc. etc.) is confused by such packets,
even if they are valid. When enabled it also prevents ip spoofing
in some limited fashion.
NOTE: this option is turned on per default only when ip_forwarding
is on. For non-forwarding hosts it doesn't make much sense and
makes some legal multihoming configurations impossible.
----------------8<----------------8<----------------8<----------------
A lot of other information that would be interesting to the Linux folks on
this list can be found in that file.
Hope this helps,
Chuck
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:26 PDT