rp_filter not working ??

[Ian Mortimer]

> But, shouldn't any packets with a private address
> like that get dropped before the netfilter code by rp_filter (which is set
> to 1 for all interfaces) since it is obviously spoofed ?

This probably doesn't answer your question but there seems to be two 
levels you can set for rp_filter.  From the 2.2 kernel docs
(networking/ip-sysctl.txt):
  
 rp_filter - INTEGER
        2 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.

        1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
            that look as sourced at a directly connected interface, but
            were input from another interface.

        0 - No source validation.

But in proc.txt it says:

 rp_filter
   Integer value deciding if source validation should be made.
   1 means yes, 0 means no. Disabled by default, but
   local/broadcast address spoofing is always on.

   If you set this to 1 on a router that is the only connection
   for a network to the net , it evidently prevents spoofing attacks
   against your internal networks (external addresses can still be
   spoofed), without the need for additional firewall rules.

So maybe you need to set it to 2 to get complete protection.


Ian