Date: Mon, 6 Oct 2003 14:02:52 +0200 From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> To: "Haesu" <haesu@towardex.com>, <freebsd-isp@freebsd.org> Subject: RE: uRPF on FreeBSD Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3F14@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help
>=20
> Is there any reverse-path verification feature in FreeBSD kernel?
>=20
> reverse-path verification as in uRPF (unicast reverse path=20
> filtering) widely
> used for anti-ip-spoofing.
>=20
> If it is supported, then does FreeBSD's uPRF implementation=20
> also allow loose
> and strict check like on Cisco? =20
>=20
Yes, IPFW2 has this option implemented as option 'verrevpath'.
ex. deny not verrevpath
man ipfw says:
verrevpath
For incoming packets, a routing table lookup is done on the
packet's source address. If the interface on which the =
packet
entered the system matches the outgoing interface for the =
route,
the packet matches. If the interfaces do not match up, the
packet does not match. All outgoing packets or packets =
with no
incoming interface match.
The name and functionality of the option is intentionally =
similar
to the Cisco IOS command:
ip verify unicast reverse-path
This option can be used to make anti-spoofing rules.
-- Sten
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F1F3F14>