Absolutely and this should be done as part of any anti-spoofing in a firewall and router facing a hostile network. I just wanted to clarify that it is not an IP routing function per se, rather it is a something that has to be explicitly configured. ( Apart from security reasons you may want to send traffic via different routes depending on the customer source address because of the service they are paying for)
Martin Visser Network Consultant - Global Services COMPAQ, part of the new HP 3 Richardson Place North Ryde, Sydney NSW 2113, Australia Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 Fax 7: +61-2-9022-1800 E-mail * : [EMAIL PROTECTED] -----Original Message----- From: evilbunny [mailto:[EMAIL PROTECTED]] Sent: Friday, 28 June 2002 4:28 PM To: Visser, Martin (Sydney) Cc: slug Subject: Re[2]: [SLUG] Source IP address Hello Martin, Routers can check the source, and they can filter based on a simple set of rules that only allows IP's that should go through the fact that they allow different source addresses cause many headaches for admin... flip side being unidirectional satellite setups need to send an alternate source address to have the traffic come back via the satellite link... -- Best regards, evilbunny mailto:[EMAIL PROTECTED] http://www.SydneyWireless.com - Exercise your communications freedom to make it do what you never thought possible... Friday, June 28, 2002, 4:23:09 PM, you wrote: VMS> Huhhhh? In fact most routers don't check the source, nor do they care, which is why certain DoS attacks that spoof source IP addresses work. IP routing today is nearly always based only on the VMS> destination address. In normal IP packet forwarding, the source and destination IP address of a packet doesn't change during router hops (MAC/physical does). Hence a router receeiving packets VMS> from another router will see all sorts of source IP addresses but it will not always have an iron-clad mechanism of determining they came from a legitimate source. The only way you can tell VMS> where the previous hop was is by the physical line and/or the source MAC address (which is usually the router's interface), but of course even this can be spoofed. VMS> However, you are correct about the default behaviour when a locally-generated packet leaves a interface in linux. (This doesn't apply to a routed/forwarded packet) VMS> I would probably use iptables to do what John wishes. VMS> Regards, Martin VMS> Martin Visser VMS> Network Consultant - Global Services VMS> COMPAQ, part of the new HP VMS> 3 Richardson Place VMS> North Ryde, Sydney NSW 2113, Australia VMS> Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 VMS> Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com VMS> -----Original Message----- VMS> From: Glen Turner [mailto:[EMAIL PROTECTED]] VMS> Sent: Friday, 28 June 2002 3:32 PM VMS> To: slug VMS> Subject: Re: [SLUG] Source IP address >> Is it possible to use iproute2 or something similar to use a particular >> source address when sending to a particular subnet? (2.4 kernel) VMS> The default behaviour is for a packet exiting ethN to have the source VMS> IP address of ethN. VMS> The router on ethN is perfectly entitled to discard packets coming VMS> off that subnet which have the wrong source address (and the router VMS> should be configured to do so). -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
