2000-04-03-12:22:29 Mikael Schmidt:
> I am just wondering what tool i can use for setting up egress
> filtering in linux, i have searched and found nothing on the
> web...
There are a few tools.
Recent Linux kernels come with the rp_filter; add something like:
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
to an init script to enable it. This will apply the simple rule "if
a reply to this packet would not go out the same interface that the
packet came in on, discard it". As long as you don't have assymetric
routes over multiple interfaces to the Linux box, this works great
for some filtering.
I like to back that up with explicit expression in ipfwadm,
ipchains, or whatever the equivalent command is under Netfilter, to
just reinforce things in case there should happen to be a bug in the
rp_filter, but that's just me.
You also want to use whichever filtering your kernel supports for
some other blocks: toss anything coming in on any interface either
to or from any RFC 1918 address, and block incoming IP directed
broadcast.
-Bennett
PGP signature
