Re: Required firewall support

To: debian-devel@lists.debian.org
Subject: Re: Required firewall support
From: Steve Greenland <steveg@moregruel.net>
Date: Fri, 18 Mar 2005 13:50:41 -0600
Message-id: <[🔎] 20050318195041.GA3304@moregruel.net>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: Steve Greenland <steveg@moregruel.net>
In-reply-to: <[🔎] 200503180928.j2I9SgYv012342@renig.nat.blars.org>
References: <[🔎] 20050317070119.GW7864@spawn.internal.mnemosyne-consulting.com> <[🔎] 87oedjtndt.fsf@becket.becket.net> <[🔎] 20050316230804.GB14110@wonderland.linux.it> <[🔎] 87ekef2nhv.fsf@becket.becket.net> <[🔎] 20050317033948.GT7864@spawn.internal.mnemosyne-consulting.com> <[🔎] 87d5tzx77g.fsf@becket.becket.net> <[🔎] 20050317070119.GW7864@spawn.internal.mnemosyne-consulting.com> <[🔎] 200503180928.j2I9SgYv012342@renig.nat.blars.org>

On 18-Mar-05, 03:28 (CST), Blars Blarson <blarson@blars.org> wrote: 
> >Linux fails this. Even with forwarding disabled, it will accept packets
> >for an address on interface A via interface B.
> 
> Enable rp_filter and it does reject such packets.
> 
> echo 1 >/proc/sys/net/ipv4/conf/${dev}/rp_filter

See, that's a nice theory, but it doesn't actually work. 

Maybe it's not clear what I'm talking about. Consider a machine with two
interfaces eth0, eth1. Define eth0 as 192.168.0.1 and eth1 as 10.0.0.1.
Disable forwarding, set rp_filter on all interfaces. From another
machine on 192.168.0/24, set your route for 10/8 to 192.168.0.1. Now
ping 10.0.0.1. For bonus points, do 'ifconfig eth1 down', and then ping
from the other machine again. Surprise!

(All with 2.4.18, maybe it's fixed in 2.6.)

Steve

-- 
Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Reply to:

Follow-Ups:
- Re: Required firewall support
  - From: Matthias Urlichs <smurf@smurf.noris.de>

References:
- Re: Required firewall support
  - From: Joel Aelwyn <fenton@debian.org>
- Required firewall support
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: Required firewall support
  - From: md@Linux.IT (Marco d'Itri)
- Re: Required firewall support
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: Required firewall support
  - From: Joel Aelwyn <fenton@debian.org>
- Re: Required firewall support
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: Required firewall support
  - From: Blars Blarson <blarson@blars.org>

Prev by Date: Re: Bits (Nybbles?) from the Vancouver release team meeting
Next by Date: Re: arch-specific packages and the new SCC requirements
Previous by thread: Re: Required firewall support
Next by thread: Re: Required firewall support
Index(es):
- Date
- Thread