At 10.12.2001, Plato wrote:
> On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
> > At 09.12.2001, Tim Haynes wrote:
> > > echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
> > > with echo 1 > /proc/sys/net/ipv4/conf/*/log_martians
> > > for logging/fun purposes.
> > rp_filter will not help with that.
> I thought that rp_filter was for precisely this. Doesn't it stop packets
> which appear on interfaces with invalid IP addresses for that interface
> from getting through?
rp_filter is agains ip spoofing but this is not ipspoofing.
You send a packet with the real ip source address. The destination is
different. rp_filter filters the source not the destination.
,----[ /usr/src/linux/Documentation/proc.txt ]
| rp_filter
| Integer value deciding if source validation should be made.
^^^^^^
| 1 means yes, 0 means no. Disabled by default, but
| local/broadcast address spoofing is always on.
|
| If you set this to 1 on a router that is the only connection
| for a network to the net , it evidently prevents spoofing attacks
| against your internal networks (external addresses can still be
| spoofed), without the need for additional firewall rules.
`----
Regards, Guido
Attachment:
pgprm9LhC7VJf.pgp
Description: PGP signature