On Wed, Feb 07, 2001 at 03:25:26PM +0100, Serge Maandag wrote:
> > root@router-1:~# for i in
> > /proc/sys/net/ipv4/conf/*/rp_filter; do echo "2" > $i ;done
>
> Are u sure "2" is a valid setting? "1" seems more like it.
> It prevents spoofing, but does not prevent routing of ip-ranges other
> than directly connected networks. To do that, you do need ipchains.
Thank you for your fast reply ;-)
According to linux-2.2.18/Documentation/networking/ip-sysctl.txt
---> cut <---
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
NOTE: do not disable this option! All BSD derived routing software
(sort of gated, routed etc. etc.) is confused by such packets,
even if they are valid. When enabled it also prevents ip spoofing
in some limited fashion.
NOTE: this option is turned on per default only when ip_forwarding
is on. For non-forwarding hosts it doesn't make much sense and
makes some legal multihoming configurations impossible.
---> cut <---
Since I'm not a native english speaker, may be I'm interpreting it in wrong
way. Please correct me if it's not like that.
--
=- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
Theodor Milkov Administrator IP Networks
Davidov Electric Ltd. Phone: +359 (2) 730158
PGP: http://www.zimage.delbg.com/zimage.asc
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
Attachment:
pgp00016.pgp
Description: PGP signature
