On Fri, Nov 27, 2009 at 7:47 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote:
> Changli Gao wrote:
>> It is not easy to spoof in both directions. Routers won't forward it if the destination is at the same side.
>
> Please don't top post.
Sorry, I don't notice that G1 top posts.
>
> They don't need to forward anything, conntrack handles the packet before
> routing.
>
Think about this topologic:
Attacker -> router1 -> router2 -> ... -> Linux Router -> Apache.
the packets in the other direction won't be sent to the Linux Router,
as the other routers will routed them to the other place.
Case 2:
Attacker ---+
+-- Linux Router --> WAN
Victim-------+
If we do sth. like RPF before entering conntrack, the packets in the
other direction won't be in.
--
Regards,
Changli Gao(xiaosuo@xxxxxxxxx)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
