|
your kernel isn't using the setting specified in RFC1812.
You would be referring to following snipped in the RFC, right?
5.3.8 Source Address Validation
A router SHOULD IMPLEMENT the ability to filter traffic based on a
comparison of the source address of a packet and the forwarding table
for a logical interface on which the packet was received. If this
filtering is enabled, the router MUST silently discard a packet if
the interface on which the packet was received is not the interface
on which a packet would be forwarded to reach the address contained
in the source address. In simpler terms, if a router wouldn't route
a packet containing this address through a particular interface, it
shouldn't believe the address if it appears as a source address in a
packet read from this interface.
If this feature is implemented, it MUST be disabled by default.
So if I read this correctly, /proc/../conf/{all,default}/rp_filter must
be off on a freshly booted kernel without any explicit user changes in
any of the rc boot scripts.
You should file a bug report. Several people have fallen
over this one.
File it with debian?
whoever makes your kernel
<off-topic>
Horms, I believe :). But it's more of a user space issue, since I cannot
imagine Debian being so "dumb^Wdifferent" and patch the default
rp_filter proc-fs value to 1 in the kernel. I've checked on a Debian
installation of one of our customers:
sf-lb:~ # cat /etc/network/options
ip_forward=yes
spoofprotect=yes
syncookies=no
sf-lb:~ # uname -a
Linux sf-lb 2.4.27 #1 Sat Oct 16 17:14:21 CEST 2004 sparc64 GNU/Linux
sf-lb:~ # cat /etc/debian_version
testing/unstable
sf-lb:~ #
I have to assume these are the default settings, which then in
/etc/init.d/networking get set over doopt() (completely brain-dead
redundant information).
Reading spoofprotect_rp_filter() in /etc/init.d/networking I have to
assume that the person maintaining this piece of software has not
understood the network related settings (besides showing horrible
programming practise) in proc-fs under Linux:
spoofprotect_rp_filter () {
# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
--> This should be s/*/default/ to match at least the wrong comment
echo 1 > $f
done
return 0
else
return 1
fi
}
On top, good programming practise would be to explicitly set the other
values you take for granted to 0, since an operator could have
accidentally set some proc-fs values to test something and did not make
it reboot-safe.
Debian is and will remain a system for people with a lot of spare time.
Folks: rp_filter has almost nothing to do with proper network security!
If source validation has to be done, make sure you route properly.
It's funny, Debian people would only need to have a look at SuSE or Red
Hat to see how one can do the networking setup a tad bit better.
</off-topic>
Regards,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
