On 06/06/2011 07:08 AM, Mr Dash Four wrote: > >> From Documentation/networking/ip_sysctl.txt: >> >> rp_filter - INTEGER >> 0 - No source validation. >> 1 - Strict mode as defined in RFC3704 Strict Reverse Path >> Each incoming packet is tested against the FIB and if the >> interface is not the best reverse path the packet check >> will fail. >> By default failed packets are discarded. >> 2 - Loose mode as defined in RFC3704 Loose Reverse Path >> Each incoming packet's source address is also tested >> against the FIB and if the source address is not reachable >> via any interface the packet check will fail. >> >> Current recommended practice in RFC3704 is to enable strict mode >> to prevent IP spoofing from DDos attacks. If using asymmetric >> routing or other complicated routing, then loose mode is >> recommended. >> >> conf/all/rp_filter must also be set to non-zero to do source >> validation on the interface >> >> Default value is 0. Note that some distributions enable it >> in startup scripts. >> > Interesting read, thanks! So, I am better off with routefilter=1 than > routefilter=2 as the checks applied are more stringent? There was > another reason I asked this question - I need to know what to do with my > other machines where no shorewall (but other) firewall is deployed?
Set /proc/sys/net/ipv4/conf/all/rp_filter = 1 Set /proc/sys/net/ipv4/conf/iface/rp_filter = 1 (for each 'iface'). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
