Re: SYN flood and IP spoofing

To: Jigal Weinberg <jigal@cistron.nl>
Cc: debian-firewall@lists.debian.org
Subject: Re: SYN flood and IP spoofing
From: Rene Mayrhofer <rene.mayrhofer@vianova.at>
Date: Tue, 05 Dec 2000 21:09:45 +0100
Message-id: <3A2D4B89.9F526A2A@vianova.at>
References: <20001204150925.A24084@lri.fr> <20001204161043.E28807@cistron.nl>

Jigal Weinberg wrote:
> <snip>
> # This is the best method: turn on Source Address Verification and get
> # spoof protection on all current and future interfaces
> </snip>
Be careful with the rp_filter, it breaks the combination of NAT (masquerading)
with source-based routing. If you need both, and still want the rp_filter, then
contact me directly and I will send you a patch for >= 2.2.14 that corrects this
problem (Alan Cox already knows of the problem and is checking out my patch).

BTW, the problem is still there in 2.4.0-test11, but my patch won't work there.

best greets,
Rene

Reply to:

References:
- SYN flood and IP spoofing
  - From: Julien Stern <stern@lri.fr>
- Re: SYN flood and IP spoofing
  - From: Jigal Weinberg <jigal@cistron.nl>

Prev by Date: Re: SYN flood and IP spoofing
Next by Date: Iptables FW under 2.4.0-test11
Previous by thread: Re: SYN flood and IP spoofing
Next by thread: Iptables FW under 2.4.0-test11
Index(es):
- Date
- Thread