|
Hello,
On Wed, 10 Jul 2002, Joseph Mack wrote:
> Jeff and I have been talking offline - we're trying to find out more about
> source route spoofing. Here's the docs we have...
>
> Checking about source route spoofing
> Source route verification can be turned on or off
> in the kernel by setting "/proc/sys/net/ipv4/conf/default/rp_filter"
> to 1 or zero. Here's the description of the setting copied from
> /usr/src/linux/Documentation/filesystems/proc.txt:
>
> rp_filter
> ---------
> Integer value determines if a source validation should be made.
> 1 means yes, 0 means no. Disabled by default, but local/broadcast
> address spoofing is always on.
>
> Questions:
>
> does local spoofing ON means that packets with src_addr which are the same
> as any ip on the router will be dropped? or is it any IP on that NIC?
Any local IP on any interface
> If you set this to 1 on a router that is the only connection
> for a network to the net, it will prevent spoofing attacks
> against your internal networks (external addresses can still
> be spoofed), without the need for additional firewall rules.
>
> how does the router know what network differentiate the inside, and outside
> networks? By arp'ing? Is the spoofing by NIC or for the whole address space?
The user sets the flags and that's all, the kernel does
not know anything about internal/external ifaces. It is useful
even for "internal" ("safe") interfaces to control ARP but you
can solve the same problem with arp_filter. Of course, if you
want more control for the reverse path protection there is
rp_filter_mask:
http://www.linuxvirtualserver.org/~julian/#rp_filter_mask
I use it for asymmetric routing, rp protection aware
of the medium_id values and of course to hack the bridging - the
IP Mode.
> Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
