From owner-freebsd-net  Fri Feb 28  6:33:56 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AFEF237B401
	for <freebsd-net@FreeBSD.org>; Fri, 28 Feb 2003 06:33:54 -0800 (PST)
Received: from mail.sandvine.com (sandvine.com [199.243.201.138])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F3F9F43F3F
	for <freebsd-net@FreeBSD.org>; Fri, 28 Feb 2003 06:33:53 -0800 (PST)
	(envelope-from don@sandvine.com)
Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19)
	id <FGV7YY8Y>; Fri, 28 Feb 2003 09:33:53 -0500
Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533701B35BC5@mail.sandvine.com>
From: Don Bowman <don@sandvine.com>
To: =?iso-8859-1?Q?=27Sten_Daniel_S=F8rsdal=27?= <sten.daniel.sorsdal@wan.no>,
	Bruce M Simpson <bms@spc.org>
Cc: freebsd-net@FreeBSD.org
Subject: RE: Source ip route lookup on incoming packets?
Date: Fri, 28 Feb 2003 09:33:50 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> From: Sten Daniel S=F8rsdal [mailto:sten.daniel.sorsdal@wan.no]

> >On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote:
> >>  What i am looking for is a feature that basically=20
> prevents spoofing by looking
> >>  the route for the source and match the incoming interface.=20
> >>  A firewall solves the problem but adds alot of=20
> administrative overhead and=20
> >>  leaves room for error.
> >Check the net.inet.ip.check_interface sysctl.
> >It may be what you're looking for.
> >BMS
>=20
> Thank you for your reply!
>=20
> I havent had a clear explanation of that one (tried the RFC too).
> But does this one really stop spoofing for routed packets as well?
>=20
> I got some border routers running BGP - three of which have=20
> full internet feed.
> Would this block spoofed packets from my network and would it block
> incoming source IPs that "come" from nonexistant networks?

I think the routers would need to have egress filtering enabled,
which isn't all that commonly done.

http://www-users.rwth-aachen.de/jens.hektor/security/cisco-acl.html

for example.

--don

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message