Date: Thu, 19 Sep 2002 17:21:18 -0400 From: Richard A Steenbergen <ras@e-gerbil.net> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Adrian Penisoara <ady@freebsd.ady.ro>, freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Desired feature: ipfw pass for routed IPs Message-ID: <20020919212118.GU1123@overlord.e-gerbil.net> In-Reply-To: <20020919181401.GA18752@blossom.cjclark.org> References: <Pine.BSF.4.10.10209191054220.82837-100000@ady.warpnet.ro> <20020919181401.GA18752@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 19, 2002 at 11:14:01AM -0700, Crist J. Clark wrote: > On input packets, it'd be painful and not really practical. On output > packets, it shouldn't be _too_ bad since the routing information would > be available. > > I'm not quite sure I understand why it would be needed. If there isn't > a route to send a packet out of an interface, it won't go out of the > interface. Under what conditions would you see yourself blocking > packets? Is this really an ackbassward way to filter routes from > routing daemons? Sounds like he wants an implementation of unicast reverse path forwarding (uRPF) loose-mode to prevent source address spoofing of non-announced space. uRPF is simple, you do a 2nd routing lookup on the src address to check for a valid return route, either a) with a nexthop to the interface on which the packet was received, for filtering customers, or b) with a nexthop to any interface, for inbound on network borders. Strict-mode is only useful for devices which route, but loose-mode could potentially be used to reduce the impact of random source DoS attacks (sounds like something linux would do :P). Unfortunately, the performance impact of doing radix tree lookups for a full routing table to filter this way would probably be worse than not filtering at all. While any device which calls itself a modern router SHOULD have this functionality, I think there are more important things to fix first. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020919212118.GU1123>