Re: enable rp_filter

To: Blair L Strang <bls@totalinfosecurity.com>, debian-firewall@lists.debian.org
Subject: Re: enable rp_filter
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sun, 31 Oct 2004 17:26:04 -0800 (PST)
Message-id: <[🔎] 20041101012604.52340.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 417C5E7E.1060607@totalinfosecurity.com>

--- Blair L StStrangblblsototalinfosecurityom> wrote:

> Mike MeMestnikrote:
> 
> > Hello, I think I could use your wiwisdome
> 
> So could I, I haven't been able to find it for ages.  I think I
> might have left it in a taxi or something ;-P
> 
> >>As far as I know, you only /have/ to turn it off if you're doing
> >>asymmetric or policy routing.  It sounds like it should be fine
> >>for you to leave it on for all interfaces.
> >>
> > OhOhhyou mean this is the reason this dodosen'tork...
> > 
> >         # Non-local transparent FTP and HTTP(S) proxy.
> >         ipipule add fwfwmark table 201
> >         ipipoute add default via 10.0.0.110 dedevIFIFACEable 201
> >         ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> >             --srsrc 10.0.0.110 --dpdport0\
> >             -j MARK --set-mark 3
> >         ipiptablest mangle -A PRPREROUTINGi $IFIFACE-p tctcp
> >             --srsrc 10.0.0.110 --dpdport43\
> >             -j MARK --set-mark 3
> 
> OhOhhhhh)
> 
> OK, looking at fib_validate_source(), it looks like how rprpilter
> works is just that the kernel takes the packet, reverses srsrc dsdst>
adaddrsnd interfaces, and tries to do a routing lookup.  It totally
> ignores marking when building the routing key, but weirdly enough,
> it does check the TOTOS
> 
> So what rprpilter asks is: "if I reverse the direction of this packet,
> would I have routed it out this interface?".  If not, drop.
> 
> It looks like you're routing back into your internal net, so I think
> you only need rprpilter turned off on the internal interface.  You'll
> be seeing replies coming in from a local source, which the kernel thinks
> are supposed to be coming from the 'net.
> 
That's correct.  After setting it up, I'm still not seeing packets on my
proxy, but it still works.  I'I'lave to look closer at the logs of the
GWGW

> There are other gotchas with this scenario which I'm struggling to
> remember.  I think you want to disable icicmpedirects on the internal
> interface as well.
> 
Heh, mestiriously send_redirects was change 4 me.  Wouldne't surprise me
if it's forced off when you set rp_filter to off.

I think in this case icicmpedirects are dedesierableththogutht will cause
extra traffic.  If the client accepts the reredirt should remove load off
the router, a big plpluss On the other hand if the client ignores the
reredirthtenhere will be many of these icicmpsike one every 30 seconds),
this is hthtextra traffic I was talking about.

Any other thoughts?

mike

train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/send_redirects 
/proc/sys/net/ipv4/conf/all/send_redirects:1
/proc/sys/net/ipv4/conf/default/send_redirects:1
/proc/sys/net/ipv4/conf/eth0/send_redirects:0
/proc/sys/net/ipv4/conf/eth1/send_redirects:1
/proc/sys/net/ipv4/conf/eth2/send_redirects:1
/proc/sys/net/ipv4/conf/lo/send_redirects:1

train:/etc/network# grep . /proc/sys/net/ipv4/conf/*/rp_filter 
/proc/sys/net/ipv4/conf/all/rp_filter:1
/proc/sys/net/ipv4/conf/default/rp_filter:1
/proc/sys/net/ipv4/conf/eth0/rp_filter:0
/proc/sys/net/ipv4/conf/eth1/rp_filter:1
/proc/sys/net/ipv4/conf/eth2/rp_filter:1
/proc/sys/net/ipv4/conf/lo/rp_filter:1


> echo 0 > /prprocys/net/ipipvcoconfblah>/send_redirects
> 
> >>Some people don't like rprpilter because it drops more or less
> >>'invisibly'.  When it does cause problems it causes *mysterious*
> >>ones, followed eventually by an 'aha' moment and much beating of
> > 
> > You can say that again, preferably on
> > hthttp/wiwikiedebianet/index.cgcgiirewalls.
> 
> HeHehOK, I'll have a sqsquizhen I get in to work.
> 
> > Here is where I think I could use some help.
> > 
> > 1. Do I have to turn it off for all interfaces?  I'm running a home
> > network with this box as the gateway with 3ninicsne is not used).
> 
> Just the internal, I think.  I've been wrong before though.
> 
> > 2. What is the best "DeDebianway of turning this off, while still
> having
> > rprpilter set for the other interfaces?
> 
> Sorry, I'm not aware of an official 'DeDebianway to do this.  Maybe
> someone can enlighten me.
> 
> I would just leave the default stuff there, but put:
> 
> auto <blah>
> ififaceblah> ininettatic
>      prprep echo 0 > <blblahblahrprpilter
>      prprep echo 0 > <blblahblahsend_redirects
>      ...
> 
> In /etc/network/interfaces.  That seems logical because it's related to
> the interface, right?   But it might also make sense just to put it in
> your fifirewallingcript (depending on how you do things) with a comment.
> 
> Regards,
> 
>      Blair.
> 
> 
> 
> -- 
> To UNUNSUBSCRIBEemail to dedebianirewall-REQUEST@lists.dedebianrorg>
with a subject of "ununsubscribe Trouble? Contact
> lilistmasterists.dedebianrorg> 
> 


		
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com

Reply to:

Follow-Ups:
- Re: enable rp_filter
  - From: Blair L Strang <bls@totalinfosecurity.com>

References:
- Re: enable rp_filter
  - From: Blair L Strang <bls@totalinfosecurity.com>

Prev by Date: Re: enable rp_filter
Next by Date: Re: Your Profile
Previous by thread: Re: enable rp_filter
Next by thread: Re: enable rp_filter
Index(es):
- Date
- Thread