Re: Ip-spofing or Source address verification

Michael H. Warfield (mhw@wittsend.com)
Tue, 1 Jun 1999 09:01:53 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jochen Heuer: "[2.3.4]: wait_on_bh, CPU 1"
Previous message: Ian McKellar: "Re: XFS and journalling filesystems"

Jorge Novo enscribed thusly:
> Hello Kernel: ;-)

> With the kernel 2.2.9 i can activate the ip-spofing using the
> file rp_filter, but in the kernel 2.0.36 how i can do this?

Simple answer... You can't (AFAIK). That's a 2.2 feature that's
not available in 2.0.

More complicated now... Are you sure you are doing what you think
you are? If that's the feature I think it is, you could be mislead. That
feature merely does a reverse route check on an incoming packet and rejects
the packet if it would be routed out through a different interface than
the one it comes in on. That means that if you are NOT using a multihome
host, such as a firewall or router, it likely won't do you much good.
Heck! If you don't have more than one interface, it won't do you ANY good.

The use for it is to automagically spot when a packet being routed
into a network claims to be coming from a system already inside that network.
You can do that with just some simple firewall rules.

If you have more than two interfaces (say one or more ethernet NICS
and a few PPP links) then this "feature" can cause random acts of terrorism
unless you are very sure that you won't ever run into asymetrical routing
conditions (which it will mistakenly interpret as spoofed packets). I've
been know to deliberately create asymetrical routing conditions when software
or systems outside of my control have blown a routing brain fart. Firewall
rules for blocking specific illegal source address claims is more stable
in complex environments.

> Sorry about my English one more time.

:-)

> SALUDE3.

> --
> *************************************************
> + Jorge Novo - Dpto. Tecnico - EDUCANET +
> + --------------------------------------------- +
> + http://www.educanet.net -- http://www.ibex.es +
> + jnovo@educanet.net Fido->2:344/102.18 +
> + Untzaga Ibaia Kalea, 1 DERIO Tef: 944541041 +
> *************************************************

Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jochen Heuer: "[2.3.4]: wait_on_bh, CPU 1"
Previous message: Ian McKellar: "Re: XFS and journalling filesystems"