[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enable rp_filter

Hello, I think I could use your wisdome.

--- Blair L Strang <bls@totalinfosecurity.com> wrote:

> Mark-Walter@t-online.de wrote:
> > I used this shell command to enable the rp_filter
> > functionality on my router:
> > 
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> >     echo 1 > $f
> >     done
> Debian woody, at least, should do this for you by default
> in /etc/rcS.d/S40networking if you're running a kernel which
> has rp_filter, and 'spoofprotect' is set in /etc/network/options.
I am/was.

> > There're two devices while one is ppp0 and the
> > other routes all packets straight into the LAN.
> > 
> > Is this required or recommended to activate rp_filter
> > on all devices or should only eth1 or ppp0 be 
> > filtered to avoid spoofing ? 
> > 
> Usually it's good to turn it on by default for all interfaces.
> I guess that's why Debian does it ;-P
> As far as I know, you only /have/ to turn it off if you're doing
> asymmetric or policy routing.  It sounds like it should be fine
> for you to leave it on for all interfaces.

Ohh, you mean this is the reason this dosen't work...

        # Non-local transparent FTP and HTTP(S) proxy.
        ip rule add fwmark 3 table 201
        ip route add default via dev $IFACE table 201
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! --dport 80\
            -j MARK --set-mark 3
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! --dport 443\
            -j MARK --set-mark 3

> Some people don't like rp_filter because it drops more or less
> 'invisibly'.  When it does cause problems it causes *mysterious*
> ones, followed eventually by an 'aha' moment and much beating of
You can say that again, preferably on

> head on keyboard.  So some people prefer to do spoof protection
Here is where I think I could use some help.

1. Do I have to turn it off for all interfaces?  I'm running a home
network with this box as the gateway with 3nics(one is not used).

2. What is the best "Debian" way of turning this off, while still having
rp_filter set for the other interfaces?


> manually.  You get better logging.  If you're the paranoid type
> this is important because it lets you know they're /really/ out to
> get you. :)
> Regards,
>      Blair.
> -- 
> Play Rogue, visit exotic locations, meet strange creatures
> and kill them.
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.

Reply to: