Jeff wrote
> > I still have Source Route Verification turned on on the Director. The VIP
> > resides on the real servers only, on their respective tunl0 device. In this
> > setup, where is the spoof coming in?
Julian replied
> Only if 90.0.0.30/24 is on eth1, not on eth0. Of course,
> your setup in the first posting is ambiguous.
.
.
> You can check it with:
>
> ip route get from 90.0.0.35 to 90.0.0.35 iif eth0
Jeff and I have been talking offline - we're trying to find out more about
source route spoofing. Here's the docs we have...
Checking about source route spoofing
Source route verification can be turned on or off
in the kernel by setting "/proc/sys/net/ipv4/conf/default/rp_filter"
to 1 or zero. Here's the description of the setting copied from
/usr/src/linux/Documentation/filesystems/proc.txt:
rp_filter
---------
Integer value determines if a source validation should be made.
1 means yes, 0 means no. Disabled by default, but local/broadcast
address spoofing is always on.
Questions:
does local spoofing ON means that packets with src_addr which are the same
as any ip on the router will be dropped? or is it any IP on that NIC?
If you set this to 1 on a router that is the only connection
for a network to the net, it will prevent spoofing attacks
against your internal networks (external addresses can still
be spoofed), without the need for additional firewall rules.
how does the router know what network differentiate the inside, and outside
networks? By arp'ing? Is the spoofing by NIC or for the whole address space?
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|