"Philip J. Koenig" wrote:
>
[snip]
>
> I'm not sure what David Bandel is referring to with "reverse path
> filtering", I assume he means something otherwise known as "egress
> filtering", ie - you setup filters on your border routers that if
> they see packets coming from one of your customers that is not
> claiming to originate from an address you route, you block it. Some
> people are not thrilled about doing that everywhere because it breaks
> certain types of diagnostic and security tools. (and lots of
> spoofing/hacking tools)
>
>
exactly what I'm talking about. be it called rp_filters or egress
filters. I've not seen it cause problems when instituted at border
routers. I know if you're using a firewall with FreeS/WAN you can't
filter on that system, but the next upstream certainly can.
Gee, it breaks spoofing/hacking tools? (Duh). That's the whole idea!
If you want to do some spoofing tests, you do it on your local network
only. I don't need anyone spoofing my internal network from outside.
Or customers sending packets from their systems with source IPs outside
my network. This can't possibly be legitimate traffic, and I for one
drop it. (I do rp_filtering/egress filtering and haven't had one
complaint yet). If done at a sufficiently low level (C class or
smaller) the spoofing problems on the Internet would disappear overnite.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
