Mandi! cronolog+lartc In chel di` si favelave... > Rather than disable rp_filter (by setting to 0 on all interfaces I presume), > what about setting it to 2 for Loose mode instead, and only on the affected > interfaces, so only those interfaces change behaviour? > Loose mode would allow the packet as long as there is a valid route on any > interface, instead of the specific interface it comes in. So as long as a > default route exists anywhere, the packet should pass. Bingo! > Potentially this opens up the interface to spoofed traffic, as it would now > allow traffic with source IP belonging to subnets on your private interfaces, > because obviously you would have routes to those too. But that can be solved > easily with iptables rules. Generally I block all packets with source in all > private IP ranges on Internet-facing interfaces, with exceptions if necessary > e.g. for external DMZ etc. I do exactly the same things. To at least have notices, i've also enabled 'log_martians'. Many thanks!!! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
