Re: enable rp_filter
--- Blair L StStrangblblsototalinfosecurityom> wrote:
> Mike MeMestnikrote:
>
> > Hello, I think I could use your wiwisdome
>
> So could I, I haven't been able to find it for ages. I think I
> might have left it in a taxi or something ;-P
>
> >>As far as I know, you only /have/ to turn it off if you're doing
> >>asymmetric or policy routing. It sounds like it should be fine
> >>for you to leave it on for all interfaces.
> >>
> > OhOhhyou mean this is the reason this dodosen'tork...
> >
> > # Non-local transparent FTP and HTTP(S) proxy.
> > ipipule add fwfwmark table 201
> > ipipoute add default via 10.0.0.110 dedevIFIFACEable 201
> > ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> > --srsrc 10.0.0.110 --dpdport0\
> > -j MARK --set-mark 3
> > ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> > --srsrc 10.0.0.110 --dpdport43\
> > -j MARK --set-mark 3
>
> OhOhhhhh)
>
> OK, looking at fib_validate_source(), it looks like how rprpilter
> works is just that the kernel takes the packet, reverses srsrc dsdst>
adaddrsnd interfaces, and tries to do a routing lookup. It totally
> ignores marking when building the routing key, but weirdly enough,
> it does check the TOTOS
>
> So what rprpilter asks is: "if I reverse the direction of this packet,
> would I have routed it out this interface?". If not, drop.
>
> It looks like you're routing back into your internal net, so I think
> you only need rprpilter turned off on the internal interface. You'll
> be seeing replies coming in from a local source, which the kernel thinks
> are supposed to be coming from the 'net.
>
That's correct. After setting it up, I'm still not seeing packets on my
proxy, but it still works. I'I'lave to look closer at the logs of the
GWGW
> There are other gotchas with this scenario which I'm struggling to
> remember. I think you want to disable icicmpedirects on the internal
> interface as well.
>
Heh, mestiriously send_redirects was change 4 me. Wouldne't surprise me
if it's forced off when you set rp_filter to off.
I think in this case icicmpedirects are dedesierableththogutht will cause
extra traffic. If the client accepts the reredirt should remove load off
the router, a big plpluss On the other hand if the client ignores the
reredirthtenhere will be many of these icicmpsike one every 30 seconds),
this is hthtextra traffic I was talking about.
Any other thoughts?
mike
train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/send_redirects
/proc/sys/net/ipv4/conf/all/send_redirects:1
/proc/sys/net/ipv4/conf/default/send_redirects:1
/proc/sys/net/ipv4/conf/eth0/send_redirects:0
/proc/sys/net/ipv4/conf/eth1/send_redirects:1
/proc/sys/net/ipv4/conf/eth2/send_redirects:1
/proc/sys/net/ipv4/conf/lo/send_redirects:1
train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter:1
/proc/sys/net/ipv4/conf/default/rp_filter:1
/proc/sys/net/ipv4/conf/eth0/rp_filter:0
/proc/sys/net/ipv4/conf/eth1/rp_filter:1
/proc/sys/net/ipv4/conf/eth2/rp_filter:1
/proc/sys/net/ipv4/conf/lo/rp_filter:1
> echo 0 > /prprocys/net/ipipvcoconfblah>/send_redirects
>
> >>Some people don't like rprpilter because it drops more or less
> >>'invisibly'. When it does cause problems it causes *mysterious*
> >>ones, followed eventually by an 'aha' moment and much beating of
> >
> > You can say that again, preferably on
> > hthttp/wiwikiedebianet/index.cgcgiirewalls.
>
> HeHehOK, I'll have a sqsquizhen I get in to work.
>
> > Here is where I think I could use some help.
> >
> > 1. Do I have to turn it off for all interfaces? I'm running a home
> > network with this box as the gateway with 3ninicsne is not used).
>
> Just the internal, I think. I've been wrong before though.
>
> > 2. What is the best "DeDebianway of turning this off, while still
> having
> > rprpilter set for the other interfaces?
>
> Sorry, I'm not aware of an official 'DeDebianway to do this. Maybe
> someone can enlighten me.
>
> I would just leave the default stuff there, but put:
>
> auto <blah>
> ififaceblah> ininettatic
> prprep echo 0 > <blblahblahrprpilter
> prprep echo 0 > <blblahblahsend_redirects
> ...
>
> In /etc/network/interfaces. That seems logical because it's related to
> the interface, right? But it might also make sense just to put it in
> your fifirewallingcript (depending on how you do things) with a comment.
>
> Regards,
>
> Blair.
>
>
>
> --
> To UNUNSUBSCRIBEemail to dedebianirewall-REQUEST@lists.dedebianrorg>
with a subject of "ununsubscribe Trouble? Contact
> lilistmasterists.dedebianrorg>
>
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.
http://messenger.yahoo.com
Reply to: