Date: Wed, 21 Jul 2004 13:53:28 +0200 From: Andre Oppermann <andre@freebsd.org> To: James <james@towardex.com> Cc: James <haesu@towardex.com> Subject: Re: IPFW2 versrcreach update Message-ID: <40FE5938.6890EC8C@freebsd.org> References: <20040720021237.GA74977@scylla.towardex.com> <40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com> <40FE4367.AA7B0A7F@freebsd.org> <20040721114455.GA47249@scylla.towardex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
James wrote: > > Andre, > > > > > James, > > > > it just occured to me; but what is the purpose of versrcreach denying a > > packet that will be discarded a few cycles later anyway? When I mark > > a route with -reject I want the ICMPs go out and still use the versrcreach > > functionality in ipfw. > > The point is to have uRPF loose-check *drop* the packets sourced from IP's that > are null-routed. A null route would discard the packet destined *to* the null > route, but it would never drop a packet *sourced* with an IP within the null > route. Yea, sorry, you are right. Wasn't really up to speed this morning... ;-) > uRPF should not emit an ICMP when it drops a -reject route. Even with > ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source > that triggered uRPF drop condition cannot be trusted as it may have spoofed the > packet. Ok, I'll go ahead and commit this to ipfw2 later today. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40FE5938.6890EC8C>