Re: SYN flood and IP spoofing
Jigal Weinberg wrote:
> # This is the best method: turn on Source Address Verification and get
> # spoof protection on all current and future interfaces
Be careful with the rp_filter, it breaks the combination of NAT (masquerading)
with source-based routing. If you need both, and still want the rp_filter, then
contact me directly and I will send you a patch for >= 2.2.14 that corrects this
problem (Alan Cox already knows of the problem and is checking out my patch).
BTW, the problem is still there in 2.4.0-test11, but my patch won't work there.