rp_filter; iptables; spoofing
David Trcka
trcka na poda.cz
Úterý Červenec 9 10:13:08 CEST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 9 Jul 2002, David Trcka wrote:
> Toto vysvetleni prosim berte s rezervou, je to uz delsi dobu, co jsem to
> zjistoval, a tudiz nerucim za uplnou spravnost toho, co jsem tady napsal.
>
Tedy abych to upresnil:
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
NOTE: do not disable this option! All BSD derived routing software
(sort of gated, routed etc. etc.) is confused by such packets,
even if they are valid. When enabled it also prevents ip spoofing
in some limited fashion.
NOTE: this option is turned on per default only when ip_forwarding
is on. For non-forwarding hosts it doesn't make much sense and
makes some legal multihoming configurations impossible.
RFC1812:
5.3.8 Source Address Validation
A router SHOULD IMPLEMENT the ability to filter traffic based on a
comparison of the source address of a packet and the forwarding table
for a logical interface on which the packet was received. If this
filtering is enabled, the router MUST silently discard a packet if
the interface on which the packet was received is not the interface
on which a packet would be forwarded to reach the address contained
in the source address. In simpler terms, if a router wouldn't route
a packet containing this address through a particular interface, it
shouldn't believe the address if it appears as a source address in a
packet read from this interface.
If this feature is implemented, it MUST be disabled by default.
DISCUSSION
This feature can provide useful security improvements in some
situations, but can erroneously discard valid packets in
situations where paths are asymmetric.
O DHCP se tam nijak nezminuji, takze se bud nepredpoklada, ze na podobnych
routerech pobezi DHCP server, nebo se to DHCP paketu netyka, nebo se to
proste neresi.
- --
David Trcka, network administrator
PODA s.r.o. - Internet Service Provider
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9KpsWMNnAMG0b8P4RAlV4AKCGr7hzBTCdfMkithHa3mmpIBSFRwCeOXSI
woOw1AZU3N9+7f4XOtDyrsQ=
=2m2n
-----END PGP SIGNATURE-----
Další informace o konferenci Linux