From owner-freebsd-pf@FreeBSD.ORG Sat Dec 31 00:34:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE1816A41F for ; Sat, 31 Dec 2005 00:34:44 +0000 (GMT) (envelope-from daffy@xview.net) Received: from mail.oav.net (mail.oav.net [193.218.105.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id C385543D53 for ; Sat, 31 Dec 2005 00:34:43 +0000 (GMT) (envelope-from daffy@xview.net) Received: from localhost (mail.oav.net [193.218.105.18]) by mail02.oav.net (Postfix) with ESMTP id A32C63F42C for ; Sat, 31 Dec 2005 01:34:42 +0100 (CET) (envelope-from daffy@xview.net) Received: from mail02.oav.net ([193.218.105.18]) by localhost (mail02.oav.net [172.31.1.2]) (amavisd-new, port 10026) with LMTP id 71876-10 for ; Sat, 31 Dec 2005 01:34:42 +0100 (CET) Received: from [192.168.1.10] (ALille-151-1-61-43.w83-198.abo.wanadoo.fr [83.198.135.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail02.oav.net (Postfix) with ESMTP id DC3D33F422 for ; Sat, 31 Dec 2005 01:34:41 +0100 (CET) (envelope-from daffy@xview.net) Mime-Version: 1.0 (Apple Message framework v746.2) In-Reply-To: <43B5C7E1.8060400@mr0vka.eu.org> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <8669F63F-2290-446E-90AF-C95FE5C17129@xview.net> Content-Transfer-Encoding: quoted-printable From: Olivier Warin Date: Sat, 31 Dec 2005 01:34:07 +0100 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.746.2) X-Virus-Scanned: by amavisd-new at mail02.oav.net Subject: Re: [feature] ipfw verrevpath/versrcreach? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 00:34:45 -0000 Hi, This feature will help to mitigate DoS atttacks, I vote for :-) verrevpath & versrcreach are references to Cisco Revers Path =20 Forwarding algorithm and was first time cited in RFC1812. I would add that, AFAIK, the partial implementation, antispoof, =20 (which is unable to make the distinction between "strict" & "loose" =20 modes) prevents pf to be used on Internet eXchange Points, in an ISP-=20 ISP environment (because of asymmetric routing). Maybee recent commits in pf related to openbgpd change this ? Regards, Le 31 d=C3=A9c. 05 =C3=A0 00:50, =C5=81ukasz Bromirski a =C3=A9crit : > Hi all, > > Is there by any chance work being done on pf to include functionality > that is present in FreeBSD ipfw, that checks if packet entered > router via correct interface as pointed out by routing table? > > I know there is antispoof, but it's simple check of connected network > and interface address, not full lookup to routing table contents. > On ipfw it's called verrevpath (checking if routing table points > for this source IP to the interface it came on) and versrcreach > (the same but default and blackhole routes don't count). > > --=20 > this space was intentionally left blank | =C5=81ukasz =20= > Bromirski > you can insert your favourite quote here | =20 > lukasz:bromirski,net > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Olivier Warin - http://xview.net Stay connected !