From owner-freebsd-isp@FreeBSD.ORG Fri Oct 3 00:00:14 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34E4616A4B3 for ; Fri, 3 Oct 2003 00:00:14 -0700 (PDT) Received: from light.sdf.com (light.sdf.com [207.200.153.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0699C43F3F for ; Fri, 3 Oct 2003 00:00:13 -0700 (PDT) (envelope-from tom@sdf.com) Received: from tom (helo=localhost) by light.sdf.com with local-esmtp (Exim 4.22) id 1A5JvX-0009IH-DK; Fri, 03 Oct 2003 00:00:35 -0700 Date: Fri, 3 Oct 2003 00:00:35 -0700 (PDT) From: Tom To: Haesu In-Reply-To: <20031003034611.GA59149@scylla.towardex.com> Message-ID: <20031002235823.M82361@light.sdf.com> References: <20031003034611.GA59149@scylla.towardex.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-isp@freebsd.org Subject: Re: uRPF on FreeBSD X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2003 07:00:14 -0000 On Thu, 2 Oct 2003, Haesu wrote: > Is there any reverse-path verification feature in FreeBSD kernel? > > reverse-path verification as in uRPF (unicast reverse path filtering) widely > used for anti-ip-spoofing. > > If it is supported, then does FreeBSD's uPRF implementation also allow loose > and strict check like on Cisco? ... Usually RPF is just done with ACLs (ipfw) on FreeBSD. It can be a simple as have a simple input list on each interface that only permits sources that are known to be on that interface. Since most systems aren't running a routing protocol, so there aren't many routes and/or they don't change often, it is probably the simplest way of doing this. Tom