DNAT for two external NIC
Ming-Ching Tiew
mingching.tiew at redtone.com
Tue Sep 5 04:29:42 CEST 2006
From: "Ming-Ching Tiew" <mingching.tiew at redtone.com>
>
> I did not go through your post carefully enough to know what you are talking
> about. But my question was why do we have to turn off reverse filter path
> checking to get multipath routing to work ? The original idea of reverse
> filter path checking is to improve security by doing reverse path checking,
> ie by checking the source IP address of all packets coming in via an interface
> against the networks known to be behind that interface, the firewall/router
> can simply drop packets that aren't supposed to come from there. In the
> multipath routing case, the packets are INDEED supposed to be from the
> interface where it is coming from, why they are dropped ?
>
Perhaps this is what this patch is all about ?
http://www.ssi.bg/~ja/#rp_filter_mask
I have noticed that Julian Anastasov's patch has existed long long time ago
but it is never included into the standard kernel. I really wonder why.
Cheers.
More information about the netfilter
mailing list