From owner-freebsd-net  Fri Feb 28  0:38:12 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1E8E137B401
	for <freebsd-net@FreeBSD.org>; Fri, 28 Feb 2003 00:38:11 -0800 (PST)
Received: from exchange.wan.no (exchange.wan.no [80.86.128.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E9DB943F93
	for <freebsd-net@FreeBSD.org>; Fri, 28 Feb 2003 00:38:07 -0800 (PST)
	(envelope-from sten.daniel.sorsdal@wan.no)
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: SV: Source ip route lookup on incoming packets?
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Date: Fri, 28 Feb 2003 09:38:04 +0100
Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DE64@exchange.wanglobal.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Source ip route lookup on incoming packets?
Thread-Index: AcLeuN/4NyZ+pCu9TlC/lxv+yQWPJgASunUA
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: "Bruce M Simpson" <bms@spc.org>
Cc: <freebsd-net@FreeBSD.org>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


>On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote:
>>  What i am looking for is a feature that basically prevents spoofing =
by looking
>>  the route for the source and match the incoming interface.=20
>>  A firewall solves the problem but adds alot of administrative =
overhead and=20
>>  leaves room for error.
>Check the net.inet.ip.check_interface sysctl.
>It may be what you're looking for.
>BMS

Thank you for your reply!

I havent had a clear explanation of that one (tried the RFC too).
But does this one really stop spoofing for routed packets as well?

I got some border routers running BGP - three of which have full =
internet feed.
Would this block spoofed packets from my network and would it block
incoming source IPs that "come" from nonexistant networks?

- Sten

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message