Re: enable rp_filter
Hello, I think I could use your wisdome.
--- Blair L Strang <bls@totalinfosecurity.com> wrote:
> Mark-Walter@t-online.de wrote:
> > I used this shell command to enable the rp_filter
> > functionality on my router:
> >
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 1 > $f
> > done
>
> Debian woody, at least, should do this for you by default
> in /etc/rcS.d/S40networking if you're running a kernel which
> has rp_filter, and 'spoofprotect' is set in /etc/network/options.
>
I am/was.
> > There're two devices while one is ppp0 and the
> > other routes all packets straight into the LAN.
> >
> > Is this required or recommended to activate rp_filter
> > on all devices or should only eth1 or ppp0 be
> > filtered to avoid spoofing ?
> >
>
> Usually it's good to turn it on by default for all interfaces.
> I guess that's why Debian does it ;-P
>
> As far as I know, you only /have/ to turn it off if you're doing
> asymmetric or policy routing. It sounds like it should be fine
> for you to leave it on for all interfaces.
>
Ohh, you mean this is the reason this dosen't work...
# Non-local transparent FTP and HTTP(S) proxy.
ip rule add fwmark 3 table 201
ip route add default via 10.0.0.110 dev $IFACE table 201
iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
--src ! 10.0.0.110 --dport 80\
-j MARK --set-mark 3
iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
--src ! 10.0.0.110 --dport 443\
-j MARK --set-mark 3
> Some people don't like rp_filter because it drops more or less
> 'invisibly'. When it does cause problems it causes *mysterious*
> ones, followed eventually by an 'aha' moment and much beating of
You can say that again, preferably on
http://wiki.debian.net/index.cgi?Firewalls.
> head on keyboard. So some people prefer to do spoof protection
Here is where I think I could use some help.
1. Do I have to turn it off for all interfaces? I'm running a home
network with this box as the gateway with 3nics(one is not used).
2. What is the best "Debian" way of turning this off, while still having
rp_filter set for the other interfaces?
mike
> manually. You get better logging. If you're the paranoid type
> this is important because it lets you know they're /really/ out to
> get you. :)
>
> Regards,
>
> Blair.
>
> --
> Play Rogue, visit exotic locations, meet strange creatures
> and kill them.
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
Reply to: