[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enable rp_filter



Mark-Walter@t-online.de wrote:
I used this shell command to enable the rp_filter
functionality on my router:

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
    done

Debian woody, at least, should do this for you by default
in /etc/rcS.d/S40networking if you're running a kernel which
has rp_filter, and 'spoofprotect' is set in /etc/network/options.

There're two devices while one is ppp0 and the
other routes all packets straight into the LAN.

Is this required or recommended to activate rp_filter
on all devices or should only eth1 or ppp0 be filtered to avoid spoofing ?

Usually it's good to turn it on by default for all interfaces.
I guess that's why Debian does it ;-P

As far as I know, you only /have/ to turn it off if you're doing
asymmetric or policy routing.  It sounds like it should be fine
for you to leave it on for all interfaces.

Some people don't like rp_filter because it drops more or less
'invisibly'.  When it does cause problems it causes *mysterious*
ones, followed eventually by an 'aha' moment and much beating of
head on keyboard.  So some people prefer to do spoof protection
manually.  You get better logging.  If you're the paranoid type
this is important because it lets you know they're /really/ out to
get you. :)

Regards,

    Blair.

--
Play Rogue, visit exotic locations, meet strange creatures
and kill them.



Reply to: