Hi all,
On Wed, 14 Nov 2012, Stephen Clark wrote:
On 11/14/2012 03:08 AM, Jozsef Kadlecsik wrote:
Then I don't understand, what is the problem. When the reply packet is
sent out over the backup line, why should the source address fall into
the subnet of the outgoing interface? Unless, of course if you yourself
or your backup provider prevents it by egress filtering.
A lot of ISPs in the U.S. do reverse path filtering and drop packets
that could not originate from their provided subnet. If they did not do
this then of course there would be no problem.
Not just in the US. It's common here in the UK too. IMHO all ISPs should
do this to prevent spoofing attacks, so that attacks are traceable, unless
you have a special agreement with them to use their connection for certain
specific other source addresses which are also traceable to you.
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
