On Tue, 2003-09-23 at 15:22, Chris Brenton wrote: > Ray Leach wrote: > > > > How about : > > ### don't accept source routed packets > > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > > I keep meaning to do some testing with this but have not had the > bandwidth. Just wondering if anyone else actually has. > > I would expect the above would work fine with strict source routing, but > I'm not so sure about loose source routing unless the firewall was one > of the defined jump points. > > For example, let's say I know you "trust" some IP address on the > Internet and permit a greater level of access from it to one of your > internal systems. I craft the following packet: > > source IP = mine > Dest IP = "trusted" Internet host > First byte of IP options = 83 > IP in options field = your internal server > > In this case none of the IPs are the firewalls so I'm not so sure > accept_source_route would even be referenced. Does the kernel check the > size of all IP headers and process the included options even if its not > the destination IP? I would think it would not for efficiency, but then > again it might to deal with things like option 7 (record route). > > Has anyone tested this either way? > I suppose the easy answer is to check the kernel source code. > Thanks in advance! > Chris -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
