Date: Fri, 28 Feb 2003 09:33:50 -0500 From: Don Bowman <don@sandvine.com> To: =?iso-8859-1?Q?=27Sten_Daniel_S=F8rsdal=27?= <sten.daniel.sorsdal@wan.no>, Bruce M Simpson <bms@spc.org> Cc: freebsd-net@FreeBSD.org Subject: RE: Source ip route lookup on incoming packets? Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533701B35BC5@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
> From: Sten Daniel S=F8rsdal [mailto:sten.daniel.sorsdal@wan.no] > >On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote: > >> What i am looking for is a feature that basically=20 > prevents spoofing by looking > >> the route for the source and match the incoming interface.=20 > >> A firewall solves the problem but adds alot of=20 > administrative overhead and=20 > >> leaves room for error. > >Check the net.inet.ip.check_interface sysctl. > >It may be what you're looking for. > >BMS >=20 > Thank you for your reply! >=20 > I havent had a clear explanation of that one (tried the RFC too). > But does this one really stop spoofing for routed packets as well? >=20 > I got some border routers running BGP - three of which have=20 > full internet feed. > Would this block spoofed packets from my network and would it block > incoming source IPs that "come" from nonexistant networks? I think the routers would need to have egress filtering enabled, which isn't all that commonly done. http://www-users.rwth-aachen.de/jens.hektor/security/cisco-acl.html for example. --don To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533701B35BC5>