Subject: source validate by reversed path (rp_filter)
To: None <tech-net@netbsd.org>
From: David Brownlee <abs@mono.org>
List: tech-net
Date: 02/22/2000 22:18:54
Does NetBSD have a sysctl for something similar? If not, would one
make any sense?
David/absolute
---------- Forwarded message ----------
Date: Sun, 20 Feb 2000 13:44:12 -0700
From: Chuck Phillips <cdp@PEAKPEAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: rp_filter? (was Re: DDOS Attack Mitigation)
> [-questions on rp_filter-]
You may need to dig a little deeper into the documentation. From the linux
2.2.14 kernel sources, .../Documentation/networking/ip-sysctl.txt:
----------------8<----------------8<----------------8<----------------
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
NOTE: do not disable this option! All BSD derived routing software
(sort of gated, routed etc. etc.) is confused by such packets,
even if they are valid. When enabled it also prevents ip spoofing
in some limited fashion.
NOTE: this option is turned on per default only when ip_forwarding
is on. For non-forwarding hosts it doesn't make much sense and
makes some legal multihoming configurations impossible.
----------------8<----------------8<----------------8<----------------
A lot of other information that would be interesting to the Linux folks on
this list can be found in that file.
Hope this helps,
Chuck