From owner-freebsd-isp@FreeBSD.ORG  Mon Oct  6 05:05:59 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DF47C16A4C0
	for <freebsd-isp@freebsd.org>; Mon,  6 Oct 2003 05:05:59 -0700 (PDT)
Received: from exchange.wan.no (exchange.wan.no [80.86.128.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 924A643FF7
	for <freebsd-isp@freebsd.org>; Mon,  6 Oct 2003 05:05:58 -0700 (PDT)
	(envelope-from sten.daniel.sorsdal@wan.no)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 6 Oct 2003 14:02:52 +0200
Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3F14@exchange.wanglobal.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: uRPF on FreeBSD
Thread-Index: AcOJYIZt6MIy2PuRSRKqUQdBerI/ggCoVIug
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: "Haesu" <haesu@towardex.com>, <freebsd-isp@freebsd.org>
Subject: RE: uRPF on FreeBSD
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2003 12:06:00 -0000

>=20
> Is there any reverse-path verification feature in FreeBSD kernel?
>=20
> reverse-path verification as in uRPF (unicast reverse path=20
> filtering) widely
> used for anti-ip-spoofing.
>=20
> If it is supported, then does FreeBSD's uPRF implementation=20
> also allow loose
> and strict check like on Cisco? =20
>=20

Yes, IPFW2 has this option implemented as option 'verrevpath'.
ex.	deny not verrevpath

man ipfw says:

     verrevpath
             For incoming packets, a routing table lookup is done on the
             packet's source address.  If the interface on which the =
packet
             entered the system matches the outgoing interface for the =
route,
             the packet matches.  If the interfaces do not match up, the
             packet does not match.  All outgoing packets or packets =
with no
             incoming interface match.

             The name and functionality of the option is intentionally =
similar
             to the Cisco IOS command:

                   ip verify unicast reverse-path

             This option can be used to make anti-spoofing rules.

-- Sten