lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Aug 2011 15:10:14 -0400 From: Stephen Clark <sclark46@...thlink.net> To: Chris Friesen <chris.friesen@...band.com> CC: Pascal Hambourg <pascal@...uf.fr.eu.org>, RĂ©mi Denis-Courmont <remi@...lab.net>, Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: Linux vs FreeBSD Which is correct. On 08/19/2011 12:18 PM, Chris Friesen wrote: > On 08/18/2011 06:42 AM, Stephen Clark wrote: > >> I guess I don't really understand what reverse path filter stuff is all >> about, much less making it weaker. >> But using 2 made the pings responses be seen. > > It's described in RFC3704. The idea is to block spoofed packets. > > From Documentation/networking/ip-sysctl.txt: > > rp_filter - INTEGER > 0 - No source validation. > 1 - Strict mode as defined in RFC3704 Strict Reverse Path > Each incoming packet is tested against the FIB and if the interface > is not the best reverse path the packet check will fail. > By default failed packets are discarded. > 2 - Loose mode as defined in RFC3704 Loose Reverse Path > Each incoming packet's source address is also tested against the FIB > and if the source address is not reachable via any interface > the packet check will fail. > > Current recommended practice in RFC3704 is to enable strict mode > to prevent IP spoofing from DDos attacks. If using asymmetric routing > or other complicated routing, then loose mode is recommended. > > The max value from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. > > Default value is 0. Note that some distributions enable it > in startup scripts. > > > Thanks for taking the time to explain this. Much appreciated. -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists