From owner-freebsd-questions Mon Aug 14 20: 5:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id E68F337B5C7 for ; Mon, 14 Aug 2000 20:05:46 -0700 (PDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.9.3/8.9.3) id WAA28209; Mon, 14 Aug 2000 22:05:39 -0500 (CDT) (envelope-from dan) Date: Mon, 14 Aug 2000 22:05:38 -0500 From: Dan Nelson To: Mike Meyer Cc: gerti-freebsdq@bitart.com, questions@FreeBSD.ORG Subject: Re: Routing based on source IP? Message-ID: <20000814220538.B24766@dan.emsphone.com> References: <14744.32653.437890.388308@guru.mired.org> <20000814233710.12115.qmail@camelot.bitart.com> <14744.33956.296043.288496@guru.mired.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.3.7i In-Reply-To: <14744.33956.296043.288496@guru.mired.org>; from "Mike Meyer" on Mon Aug 14 18:45:40 GMT 2000 X-OS: FreeBSD 5.0-CURRENT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In the last episode (Aug 14), Mike Meyer said: > Gerd Knops writes: > > Mike Meyer wrote: > > > Note that for protection purposes, source routing is generally > > > frowned on, as it's to easily forged. You throw out packets from > > > the outside world claiming to come from the inside world, and > > > otherwise don't trust the source. > > > > If I understand correctly, what I want isn't necessarily the same > > as the frowned upon 'source routing' (though I might be wrong). > > The key words are "for protection purposes". If you're trying to do > this to keep hostile users from doing something, it won't work very > well. If you're trying to do load or cost balancing or some such, > then it's not "for protection purposes". Just remember that forging > source addresses is pretty trivial, so if someone wants to avoid > this, they will. He's not talking about source routing, though. Source routing means embedding routing information in a packet to try and force an intermediate router to route that packet differently. Gerd just has two interfaces on his box, and he wants to be be able to select which interface a particular packet is going to go out on, based on its source address. -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message