[ale] Another Ipchains question
Joe Steele
joe at madewell.com
Fri Jan 25 13:09:47 EST 2002
On Thursday, January 24, 2002 1:07 PM, Chris Ricker wrote:
>
> On Thu, 24 Jan 2002, Joe Steele wrote:
>
> > There are a couple acceptable strategies OSes can implement for
> > handling incoming packets on a given interface. One strategy is to
> > consider the packet as local if its destination address matches the
> > address of *any* interface on the host, not just the interface on
> > which it arrived. The other strategy is to require local packets to
> > have a destination address which matches the specific interface on
> > which they arrive.
> >
> > My understanding has been that Linux implements the first strategy
> > (someone correct me if this has changed).
>
> By default (since not doing so breaks routing), Linux considers any packet
> with a local address local, regardless of incoming interface. This is
> run-time configurable either globally or per interface, however.
>
> See /proc/sys/net/ipv4/conf/*/rp_filter
>
> 0 means accept any local address. 1 means to reverse the path and make sure
> the destination interface matches the destination address.
>
I'm not sure that this is stated this correctly. As I see it, when
this option is enabled, the route back to the source address is
checked, and if the outgoing interface is found to be different from
the interface on which the packet arrived, the packet is dropped.
This option is a form of source validation and is a useful defense
against certain types of source address spoofing. However, it
doesn't affect the local acceptance of packets whose destination
address matches an interface different from the one on which they
arrive (so long as the source address checks out o.k.).
Consequently, firewall rules should not overlook the possibility of
malicious packets arriving which use alternative destination
addresses.
--Joe Unrecognized Data: application/ms-tnef
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list