On Mon, 30 Nov 2009, Changli Gao wrote: > Think about this topologic: > > Attacker -> router1 -> router2 -> ... -> Linux Router -> Apache. > > the packets in the other direction won't be sent to the Linux Router, > as the other routers will routed them to the other place. Sorry, I don't get it. If the attacker forges the source IP of the packet so that Apache thinks it's a local machine from its own point of view and answers it on the LAN, then that's the fault of the Linux Router operator: ingress and egress filtering is a must, period. If the attacker forges the source IP of the packet otherwise so that Apache thinks it's a non local machine, then Apache will send the answer via the Linux Router regardless of the routing table of any router out there. > Case 2: > > Attacker ---+ > +-- Linux Router --> WAN > Victim-------+ > > If we do sth. like RPF before entering conntrack, the packets in the > other direction won't be in. Here again I don't understand it completely: if there's an attacker on the LAN, then the point is not to mitigate the load for the Linux Router but first to find the attacker and then to prevent source IP forging. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
