[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SYN flood and IP spoofing

Jigal Weinberg wrote:
> <snip>
> # This is the best method: turn on Source Address Verification and get
> # spoof protection on all current and future interfaces
> </snip>
Be careful with the rp_filter, it breaks the combination of NAT (masquerading)
with source-based routing. If you need both, and still want the rp_filter, then
contact me directly and I will send you a patch for >= 2.2.14 that corrects this
problem (Alan Cox already knows of the problem and is checking out my patch).

BTW, the problem is still there in 2.4.0-test11, but my patch won't work there.

best greets,

Reply to: