I have just finished reading the following document: http://www.splintered.net/sw/flow-tools/SECURITY
In particular: "To defend against an attacker injecting bogus flow exports the path between the router and flow collector must prevent source IP address spoofing, either with access lists or unicast RPF checks. Flow-capture requires the source IP of the exporter to be defined and will count any packets received from a different IP in the pkts_corrupt counter." I don't think I saw any way in nfacctd to limit where flows are received from (aside from a firewall). Maybe linking against libwrap would be an easy way for pmacct to solve this at the application level without any new configurations options. (That way users can just drop their cisco router IP address into /etc/hosts.allow) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
pgpdIvtDmvGNl.pgp
Description: PGP signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
