lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4E4E8CEE.102@genband.com>
Date:	Fri, 19 Aug 2011 10:18:54 -0600
From:	Chris Friesen <chris.friesen@...band.com>
To:	sclark46@...thlink.net
CC:	Pascal Hambourg <pascal@...uf.fr.eu.org>,
	RĂ©mi Denis-Courmont 
	<remi@...lab.net>,
	Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: Linux vs FreeBSD Which is correct.

On 08/18/2011 06:42 AM, Stephen Clark wrote:

> I guess I don't really understand what reverse path filter stuff is all
> about, much less making it weaker.
> But using 2 made the pings responses be seen.

It's described in RFC3704.  The idea is to block spoofed packets.

 From Documentation/networking/ip-sysctl.txt:

rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
     Each incoming packet is tested against the FIB and if the interface
     is not the best reverse path the packet check will fail.
     By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
     Each incoming packet's source address is also tested against the FIB
     and if the source address is not reachable via any interface
     the packet check will fail.

    Current recommended practice in RFC3704 is to enable strict mode
    to prevent IP spoofing from DDos attacks. If using asymmetric routing
    or other complicated routing, then loose mode is recommended.

    The max value from conf/{all,interface}/rp_filter is used
    when doing source validation on the {interface}.

    Default value is 0. Note that some distributions enable it
    in startup scripts.



-- 
Chris Friesen
Software Developer
GENBAND
chris.friesen@...band.com
www.genband.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ