LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: FW: LVS-Tun and Fwmarks

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, Julian Anastasov <ja@xxxxxx>
Subject: Re: FW: LVS-Tun and Fwmarks
Cc: Jeff <golfer2@xxxxxxxxxxxxxx>, Joseph Mack <mack.joseph@xxxxxxxxxxxxxxx>
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Wed, 10 Jul 2002 19:43:29 -0400
Jeff wrote 

> > I still have Source Route Verification turned on on the Director.  The VIP
> > resides on the real servers only, on their respective tunl0 device.  In this
> > setup, where is the spoof coming in?

Julian replied
>         Only if 90.0.0.30/24 is on eth1, not on eth0. Of course,
> your setup in the first posting is ambiguous. 
.
.
> You can check it with:
> 
> ip route get from 90.0.0.35 to 90.0.0.35 iif eth0

Jeff and I have been talking offline - we're trying to find out more about
source route spoofing. Here's the docs we have...

        Checking about source route spoofing 
        Source route verification can be turned on or off 
        in the kernel by setting "/proc/sys/net/ipv4/conf/default/rp_filter" 
        to 1 or zero.  Here's the description of the setting copied from
        /usr/src/linux/Documentation/filesystems/proc.txt:

        rp_filter
        --------- 
        Integer value determines if a source validation should be made. 
        1 means yes, 0 means no.  Disabled by default, but local/broadcast 
        address spoofing is always on.

Questions:

does local spoofing ON means that packets with src_addr which are the same 
as any ip on the router will be dropped? or is it any IP on that NIC?


        If you  set this to 1 on a router that is the only connection 
        for a network to the net,  it  will  prevent  spoofing  attacks  
        against your internal networks (external addresses  can  still  
        be  spoofed), without the need for additional firewall rules.

how does the router know what network differentiate the inside, and outside
networks? By arp'ing? Is the spoofing by NIC or for the whole address space?

Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>