Re: 127.0.0.0/8 addresses from the network
On Mon, Mar 12, 2001 at 06:36:25PM +0000, Jim Breton wrote:
> On Mon, Mar 12, 2001 at 02:31:57PM -0400, Peter Cordes wrote:
> > Doesn't rp_filter do this, or am I missing something? It should make the
> > kernel drop packets coming in on interfaces they shouldn't be, e.g. 10.0.0.0
> > packets coming from an interface to 192.168.1.0.
>
> It does do what you describe; however the original question is about
> evil packet _destinations_ and not evil packet _sources._
No, I just checked linux/Documentation/filesystems/proc.txt, and it points
out that this is a source check. Destination is always checked, since it is
incorrect not to do so, not just a security risk. rp_filter filters out
some packets that are allowed by the protocols, but are obviously bogus in a
normal network.
---------------------------------
rp_filter
---------
Integer value determines if a source validation should be made. 1 means yes, 0
means no. Disabled by default, but local/broadcast address spoofing is always
on.
If you set this to 1 on a router that is the only connection for a network to
the net, it will prevent spoofing attacks against your internal networks
(external addresses can still be spoofed), without the need for additional
firewall rules.
---------------------------------
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: