[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

At 10.12.2001, Plato wrote:
> On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
> > At 09.12.2001, Tim Haynes wrote:
> > >         echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
> > > with    echo 1 > /proc/sys/net/ipv4/conf/*/log_martians
> > > for logging/fun purposes.
> > rp_filter will not help with that.
> I thought that rp_filter was for precisely this.  Doesn't it stop packets
> which appear on interfaces with invalid IP addresses for that interface 
> from getting through?

rp_filter is agains ip spoofing but this is not ipspoofing.

You send a packet with the real ip source address. The destination is
different. rp_filter filters the source not the destination.

,----[ /usr/src/linux/Documentation/proc.txt ]
| rp_filter
|    Integer value deciding if source validation should be made.
|    1 means yes, 0 means no. Disabled by default, but
|    local/broadcast address spoofing is always on.
|    If you set this to 1 on a router that is the only connection
|    for a network to the net , it evidently prevents spoofing attacks
|    against your internal networks (external addresses can still be
|    spoofed), without the need for additional firewall rules.

Regards, Guido

Attachment: pgprm9LhC7VJf.pgp
Description: PGP signature

Reply to: