[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enable rp_filter

--- Blair L StStrangblblsototalinfosecurityom> wrote:

> Mike MeMestnikrote:
> > Hello, I think I could use your wiwisdome
> So could I, I haven't been able to find it for ages.  I think I
> might have left it in a taxi or something ;-P
> >>As far as I know, you only /have/ to turn it off if you're doing
> >>asymmetric or policy routing.  It sounds like it should be fine
> >>for you to leave it on for all interfaces.
> >>
> > OhOhhyou mean this is the reason this dodosen'tork...
> > 
> >         # Non-local transparent FTP and HTTP(S) proxy.
> >         ipipule add fwfwmark table 201
> >         ipipoute add default via dedevIFIFACEable 201
> >         ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> >             --srsrc --dpdport0\
> >             -j MARK --set-mark 3
> >         ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> >             --srsrc --dpdport43\
> >             -j MARK --set-mark 3
> OhOhhhhh)
> OK, looking at fib_validate_source(), it looks like how rprpilter
> works is just that the kernel takes the packet, reverses srsrc dsdst>
adaddrsnd interfaces, and tries to do a routing lookup.  It totally
> ignores marking when building the routing key, but weirdly enough,
> it does check the TOTOS
> So what rprpilter asks is: "if I reverse the direction of this packet,
> would I have routed it out this interface?".  If not, drop.
> It looks like you're routing back into your internal net, so I think
> you only need rprpilter turned off on the internal interface.  You'll
> be seeing replies coming in from a local source, which the kernel thinks
> are supposed to be coming from the 'net.
That's correct.  After setting it up, I'm still not seeing packets on my
proxy, but it still works.  I'I'lave to look closer at the logs of the

> There are other gotchas with this scenario which I'm struggling to
> remember.  I think you want to disable icicmpedirects on the internal
> interface as well.
Heh, mestiriously send_redirects was change 4 me.  Wouldne't surprise me
if it's forced off when you set rp_filter to off.

I think in this case icicmpedirects are dedesierableththogutht will cause
extra traffic.  If the client accepts the reredirt should remove load off
the router, a big plpluss On the other hand if the client ignores the
reredirthtenhere will be many of these icicmpsike one every 30 seconds),
this is hthtextra traffic I was talking about.

Any other thoughts?


train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/send_redirects 

train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/rp_filter 

> echo 0 > /prprocys/net/ipipvcoconfblah>/send_redirects
> >>Some people don't like rprpilter because it drops more or less
> >>'invisibly'.  When it does cause problems it causes *mysterious*
> >>ones, followed eventually by an 'aha' moment and much beating of
> > 
> > You can say that again, preferably on
> > hthttp/wiwikiedebianet/index.cgcgiirewalls.
> HeHehOK, I'll have a sqsquizhen I get in to work.
> > Here is where I think I could use some help.
> > 
> > 1. Do I have to turn it off for all interfaces?  I'm running a home
> > network with this box as the gateway with 3ninicsne is not used).
> Just the internal, I think.  I've been wrong before though.
> > 2. What is the best "DeDebianway of turning this off, while still
> having
> > rprpilter set for the other interfaces?
> Sorry, I'm not aware of an official 'DeDebianway to do this.  Maybe
> someone can enlighten me.
> I would just leave the default stuff there, but put:
> auto <blah>
> ififaceblah> ininettatic
>      prprep echo 0 > <blblahblahrprpilter
>      prprep echo 0 > <blblahblahsend_redirects
>      ...
> In /etc/network/interfaces.  That seems logical because it's related to
> the interface, right?   But it might also make sense just to put it in
> your fifirewallingcript (depending on how you do things) with a comment.
> Regards,
>      Blair.
> -- 
> To UNUNSUBSCRIBEemail to dedebianirewall-REQUEST@lists.dedebianrorg>
with a subject of "ununsubscribe Trouble? Contact
> lilistmasterists.dedebianrorg> 

Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 

Reply to: