LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: FW: LVS-Tun and Fwmarks

To: Joseph Mack <mack.joseph@xxxxxxx>
Subject: Re: FW: LVS-Tun and Fwmarks
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, Jeff <golfer2@xxxxxxxxxxxxxx>, Joseph Mack <mack.joseph@xxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Thu, 11 Jul 2002 09:10:44 +0000 (GMT)
        Hello,

On Wed, 10 Jul 2002, Joseph Mack wrote:

> Jeff and I have been talking offline - we're trying to find out more about
> source route spoofing. Here's the docs we have...
>
>       Checking about source route spoofing
>       Source route verification can be turned on or off
>       in the kernel by setting "/proc/sys/net/ipv4/conf/default/rp_filter"
>       to 1 or zero.  Here's the description of the setting copied from
>       /usr/src/linux/Documentation/filesystems/proc.txt:
>
>       rp_filter
>       ---------
>       Integer value determines if a source validation should be made.
>       1 means yes, 0 means no.  Disabled by default, but local/broadcast
>       address spoofing is always on.
>
> Questions:
>
> does local spoofing ON means that packets with src_addr which are the same
> as any ip on the router will be dropped? or is it any IP on that NIC?

        Any local IP on any interface

>       If you  set this to 1 on a router that is the only connection
>       for a network to the net,  it  will  prevent  spoofing  attacks
>       against your internal networks (external addresses  can  still
>       be  spoofed), without the need for additional firewall rules.
>
> how does the router know what network differentiate the inside, and outside
> networks? By arp'ing? Is the spoofing by NIC or for the whole address space?

        The user sets the flags and that's all, the kernel does
not know anything about internal/external ifaces. It is useful
even for "internal" ("safe") interfaces to control ARP but you
can solve the same problem with arp_filter. Of course, if you
want more control for the reverse path protection there is
rp_filter_mask:

http://www.linuxvirtualserver.org/~julian/#rp_filter_mask

        I use it for asymmetric routing, rp protection aware
of the medium_id values and of course to hack the bridging - the
IP Mode.

> Joe

Regards

--
Julian Anastasov <ja@xxxxxx>



<Prev in Thread] Current Thread [Next in Thread>