From owner-freebsd-questions Mon Aug 14 16:46:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom2-120.telepath.com [216.14.2.120]) by hub.freebsd.org (Postfix) with SMTP id EB7E737B9B7 for ; Mon, 14 Aug 2000 16:46:26 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 18577 invoked by uid 100); 14 Aug 2000 23:45:40 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14744.33956.296043.288496@guru.mired.org> Date: Mon, 14 Aug 2000 18:45:40 -0500 (CDT) To: gerti-freebsdq@bitart.com Cc: questions@freebsd.org Subject: Re: Routing based on source IP? In-Reply-To: <20000814233710.12115.qmail@camelot.bitart.com> References: <14744.32653.437890.388308@guru.mired.org> <20000814233710.12115.qmail@camelot.bitart.com> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Gerd Knops writes: > Mike Meyer wrote: > > Gerd Knops writes: > > Note that for protection purposes, source routing is generally > > frowned on, as it's to easily forged. You throw out packets from the > > outside world claiming to come from the inside world, and otherwise > > don't trust the source. > If I understand correctly, what I want isn't necessarily the same as > the frowned upon 'source routing' (though I might be wrong). The key words are "for protection purposes". If you're trying to do this to keep hostile users from doing something, it won't work very well. If you're trying to do load or cost balancing or some such, then it's not "for protection purposes". Just remember that forging source addresses is pretty trivial, so if someone wants to avoid this, they will.