Date: Wed, 12 Mar 2003 12:09:03 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Sten Daniel S?rsdal <sten.daniel.sorsdal@wan.no> Cc: freebsd-net@FreeBSD.org Subject: Re: Source ip route lookup on incoming packets? Message-ID: <20030312200903.GG16143@blossom.cjclark.org> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DE63@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DE63@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote: > > Has anyone made any patches to lookup the source ip for a packet to be routed > so that it comes from the right interface? > I've heard alot of talk from people going to write patches to do this > but no patches have turned up and no help from google. > > What i am looking for is a feature that basically prevents spoofing by looking > the route for the source and match the incoming interface. > A firewall solves the problem but adds alot of administrative overhead and > leaves room for error. > > Is this feature even possible on FreeBSD? For the sake of the email archive (since I know the post's author is already aware of this): Yes this is possible. I just added an option to ipfw(8) to do this. It is called 'verrevpath.' See the thread "Anti-Spoofing Option" on the freebsd-ipfw list. Coming soon to a FreeBSD repository near you. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030312200903.GG16143>