Re: enable rp_filter

To: Blair L Strang <bls@totalinfosecurity.com>, debian-firewall@lists.debian.org
Subject: Re: enable rp_filter
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sun, 31 Oct 2004 13:25:20 -0800 (PST)
Message-id: <[🔎] 20041031212520.26991.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 417BEAA4.5080002@totalinfosecurity.com>

Hello, I think I could use your wisdome.

--- Blair L Strang <bls@totalinfosecurity.com> wrote:

> Mark-Walter@t-online.de wrote:
> > I used this shell command to enable the rp_filter
> > functionality on my router:
> > 
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> >     echo 1 > $f
> >     done
> 
> Debian woody, at least, should do this for you by default
> in /etc/rcS.d/S40networking if you're running a kernel which
> has rp_filter, and 'spoofprotect' is set in /etc/network/options.
> 
I am/was.

> > There're two devices while one is ppp0 and the
> > other routes all packets straight into the LAN.
> > 
> > Is this required or recommended to activate rp_filter
> > on all devices or should only eth1 or ppp0 be 
> > filtered to avoid spoofing ? 
> > 
> 
> Usually it's good to turn it on by default for all interfaces.
> I guess that's why Debian does it ;-P
> 
> As far as I know, you only /have/ to turn it off if you're doing
> asymmetric or policy routing.  It sounds like it should be fine
> for you to leave it on for all interfaces.
> 

Ohh, you mean this is the reason this dosen't work...

        # Non-local transparent FTP and HTTP(S) proxy.
        ip rule add fwmark 3 table 201
        ip route add default via 10.0.0.110 dev $IFACE table 201
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! 10.0.0.110 --dport 80\
            -j MARK --set-mark 3
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! 10.0.0.110 --dport 443\
            -j MARK --set-mark 3

> Some people don't like rp_filter because it drops more or less
> 'invisibly'.  When it does cause problems it causes *mysterious*
> ones, followed eventually by an 'aha' moment and much beating of
You can say that again, preferably on
http://wiki.debian.net/index.cgi?Firewalls.

> head on keyboard.  So some people prefer to do spoof protection
Here is where I think I could use some help.

1. Do I have to turn it off for all interfaces?  I'm running a home
network with this box as the gateway with 3nics(one is not used).

2. What is the best "Debian" way of turning this off, while still having
rp_filter set for the other interfaces?

mike

> manually.  You get better logging.  If you're the paranoid type
> this is important because it lets you know they're /really/ out to
> get you. :)
> 
> Regards,
> 
>      Blair.
> 
> -- 
> Play Rogue, visit exotic locations, meet strange creatures
> and kill them.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 


		
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: enable rp_filter
  - From: Blair L Strang <bls@totalinfosecurity.com>

References:
- Re: enable rp_filter
  - From: Blair L Strang <bls@totalinfosecurity.com>

Prev by Date: Port 111
Next by Date: Re: enable rp_filter
Previous by thread: Re: enable rp_filter
Next by thread: Re: enable rp_filter
Index(es):
- Date
- Thread