On Mon, Dec 10, 2001 at 10:55:07PM +1000, mdevin wrote: > On Mon, Dec 10, 2001 at 12:22:44PM +0000, Tim Haynes wrote: > > Plato <tom@redant.freeserve.co.uk> writes: > > > > > > > echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter > > > > > with echo 1 > /proc/sys/net/ipv4/conf/*/log_martians > > > > > for logging/fun purposes. > > > > > > > > rp_filter will not help with that. > > > > > > I thought that rp_filter was for precisely this. Doesn't it stop packets > > > which appear on interfaces with invalid IP addresses for that interface > > > from getting through? > > > > It's a return-path filter; if flipping the src/dest IP#s wouldn't send it > > back out the same interface, it doesn't come in at all. > > > > So a specially routed packet from a.b.c.d -> 127.0.0.1 coming in on eth0 > > becomes a packet from 127.0.0.1 -> a.b.c.d going back out > > > > That certainly looks wrong to me, although I'm not /sure/ it would produce > > the required interface conflict for rp_filter. > > > > Hmmm. I don't know. > > On the test I ran in another part of this thread > where I put a rule into my routing table to make packets destined for > 192.168.0.2 get sent via loopback. Then made sshd bind to address > 192.168.0.2. Then I was able to ssh into my box via the loopback > interface by doing this: ssh 192.168.0.2 Even though: ssh 127.0.0.1 was > refused. > > All this was done while my iptables firewall was loaded and it does have > the following in it: > # Enable IP spoofing protection - turn on Source Address Verification > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > # Log Spoofed Packets, Source Routed Packets, Redirect Packets > for f in /proc/sys/net/ipv4/conf/*/log_martians; do > echo 1 > $f > done > > However, the difference is that the packets that were being sent > actually have destination address 192.168.0.2 and source address > 192.168.0.2. And this didn't cause any problem for the return path > filter. Whereas it might if it was trying to send back packets with a > source of 127.0.0.1 and a destination of a.b.c.d. > > I can't test this at present since I don't have another computer I can > network with this one for a couple of days. But a test could be run > similar to the one I did earlier to check. No. On reading another post by Guido, this seems to do only what I have written in the comments above. ie. turn on Source Address Verification. It hasn't got anything to do with destination addresses. Cheers. Mark.
Attachment:
pgpQwedjSO5xJ.pgp
Description: PGP signature