On Mon, Dec 10, 2001 at 12:22:44PM +0000, Tim Haynes wrote: > Plato <firstname.lastname@example.org> writes: > > > > > echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter > > > > with echo 1 > /proc/sys/net/ipv4/conf/*/log_martians > > > > for logging/fun purposes. > > > > > > rp_filter will not help with that. > > > > I thought that rp_filter was for precisely this. Doesn't it stop packets > > which appear on interfaces with invalid IP addresses for that interface > > from getting through? > > It's a return-path filter; if flipping the src/dest IP#s wouldn't send it > back out the same interface, it doesn't come in at all. > > So a specially routed packet from a.b.c.d -> 127.0.0.1 coming in on eth0 > becomes a packet from 127.0.0.1 -> a.b.c.d going back out > > That certainly looks wrong to me, although I'm not /sure/ it would produce > the required interface conflict for rp_filter. > Hmmm. I don't know. On the test I ran in another part of this thread where I put a rule into my routing table to make packets destined for 192.168.0.2 get sent via loopback. Then made sshd bind to address 192.168.0.2. Then I was able to ssh into my box via the loopback interface by doing this: ssh 192.168.0.2 Even though: ssh 127.0.0.1 was refused. All this was done while my iptables firewall was loaded and it does have the following in it: # Enable IP spoofing protection - turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done However, the difference is that the packets that were being sent actually have destination address 192.168.0.2 and source address 192.168.0.2. And this didn't cause any problem for the return path filter. Whereas it might if it was trying to send back packets with a source of 127.0.0.1 and a destination of a.b.c.d. I can't test this at present since I don't have another computer I can network with this one for a couple of days. But a test could be run similar to the one I did earlier to check. Cheers. Mark.
Description: PGP signature