On Mon, Mar 12, 2001 at 06:36:25PM +0000, Jim Breton wrote: > On Mon, Mar 12, 2001 at 02:31:57PM -0400, Peter Cordes wrote: > > Doesn't rp_filter do this, or am I missing something? It should make the > > kernel drop packets coming in on interfaces they shouldn't be, e.g. 10.0.0.0 > > packets coming from an interface to 192.168.1.0. > > It does do what you describe; however the original question is about > evil packet _destinations_ and not evil packet _sources._
No, I just checked linux/Documentation/filesystems/proc.txt, and it points out that this is a source check. Destination is always checked, since it is incorrect not to do so, not just a security risk. rp_filter filters out some packets that are allowed by the protocols, but are obviously bogus in a normal network. --------------------------------- rp_filter --------- Integer value determines if a source validation should be made. 1 means yes, 0 means no. Disabled by default, but local/broadcast address spoofing is always on. If you set this to 1 on a router that is the only connection for a network to the net, it will prevent spoofing attacks against your internal networks (external addresses can still be spoofed), without the need for additional firewall rules. --------------------------------- -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
