Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-net
Date: 05/07/2000 11:28:30
In some email I received from Michael Richardson, sie wrote:
>
> >>>>> "Erik" == Erik Fair <fair@clock.org> writes:
> Erik> This option should be tied to IPFORWARDING, in the following way:
>
> Erik> If you're a router (IPFORWARDING=1), then you should accept a
> Erik> packet with your IP address on it, regardless of what interface it
> Erik> came in, i.e. strict checking should be OFF.
>
> Erik> If you're not a router (IPFORWARDING=0), then the strict
>
> && IPFILTER==0
>
> Erik> destination code should be on, and packets that came in from the
> Erik> wrong interface should be rejected.
>
> If I'm a firewall, then I have IPFORWARDWING on, since I want to forward.
> But, I still want strict address checking, since it makes my rules a lot
> simpler.
>
> Erik> I think those defaults will serve the majority effectively. We
> Erik> might still want to think about this in the context of multi-homed
> Erik> hosts (in the traditional definition of that term, please) a little
> Erik> more.
>
> I agree.
[...]
OK, so what about this.
Introduce ip_strictdest to control the acceptance of packets on interfaces
and by default, default it to IPSTRICTDEST as follows:
IPSTRICTDEST undefined:
- IPFORWARDING=1 -> IPSTRICTDEST=0
- IPFORWARDING=0 -> IPSTRICTDEST=1
Otherwise, it takes the value as defined. I don't think the behaviour
should be restricted to following IPFORWARDING rules. For example, if
you have an NFS server which is also routing and you want to force
people to use the closest interface. You don't need the burden of IP
Filter enabled here.
Darren