rp_filter not working ??
Thu, 21 Sep 2000 09:05:50 +1000
> But, shouldn't any packets with a private address
> like that get dropped before the netfilter code by rp_filter (which is set
> to 1 for all interfaces) since it is obviously spoofed ?
This probably doesn't answer your question but there seems to be two
levels you can set for rp_filter. From the 2.2 kernel docs
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
But in proc.txt it says:
Integer value deciding if source validation should be made.
1 means yes, 0 means no. Disabled by default, but
local/broadcast address spoofing is always on.
If you set this to 1 on a router that is the only connection
for a network to the net , it evidently prevents spoofing attacks
against your internal networks (external addresses can still be
spoofed), without the need for additional firewall rules.
So maybe you need to set it to 2 to get complete protection.