At 10.12.2001, Plato wrote: > On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote: > > At 09.12.2001, Tim Haynes wrote: > > > echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter > > > with echo 1 > /proc/sys/net/ipv4/conf/*/log_martians > > > for logging/fun purposes. > > rp_filter will not help with that. > I thought that rp_filter was for precisely this. Doesn't it stop packets > which appear on interfaces with invalid IP addresses for that interface > from getting through? rp_filter is agains ip spoofing but this is not ipspoofing. You send a packet with the real ip source address. The destination is different. rp_filter filters the source not the destination. ,----[ /usr/src/linux/Documentation/proc.txt ] | rp_filter | Integer value deciding if source validation should be made. ^^^^^^ | 1 means yes, 0 means no. Disabled by default, but | local/broadcast address spoofing is always on. | | If you set this to 1 on a router that is the only connection | for a network to the net , it evidently prevents spoofing attacks | against your internal networks (external addresses can still be | spoofed), without the need for additional firewall rules. `---- Regards, Guido
Attachment:
pgprm9LhC7VJf.pgp
Description: PGP signature