On 07/27/2013 07:54 AM, Tom Eastep wrote:
> On 07/26/2013 01:39 AM, Christophe Ségui wrote:
>> Another (important detail) : Setup is working when client node try to
>> reach a web server located in netB but not for an internet web
>> server.... routefilter=0 and logmartians=0 options are set for FW
>> interface on netB
>
> If you want selective route filtering, then you want ROUTE_FILTER=No
> in shorewall.conf. The effective setting for each interface is the
> *maximum* of the setting for that interface
> (/proc/sys/net/ipv4/<interface>/rp_filter) and the all setting
> (/proc/sys/net/ipv4/all/rp_filter). From The
> Documentation/networking/ip-sysctl file:
>
> rp_filter - INTEGER
> 0 - No source validation.
> 1 - Strict mode as defined in RFC3704 Strict Reverse Path
> Each incoming packet is tested against the FIB and if the
> interface
> is not the best reverse path the packet check will fail.
> By default failed packets are discarded.
> 2 - Loose mode as defined in RFC3704 Loose Reverse Path
> Each incoming packet's source address is also tested
> against the FIB
> and if the source address is not reachable via any interface
> the packet check will fail.
>
> Current recommended practice in RFC3704 is to enable strict mode
> to prevent IP spoofing from DDos attacks. If using asymmetric
> routing
> or other complicated routing, then loose mode is recommended.
>
> The max value from conf/{all,interface}/rp_filter is used
> when doing source validation on the {interface}.
>
> Default value is 0. Note that some distributions enable it
> in startup scripts.
>
> Note that Debian is one of those distributionsPlease verify the contents of /proc/sys/net/ipv4/conf/all/rp_filter. All of my Debian systems have old /etc/sysctl.conf files which I retained so I can't tell if there was a change in that file for Wheezy or not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
