Date: Wed, 21 Jul 2004 07:44:55 -0400 From: James <james@towardex.com> To: Andre Oppermann <andre@freebsd.org> Cc: James <haesu@towardex.com> Subject: Re: IPFW2 versrcreach update Message-ID: <20040721114455.GA47249@scylla.towardex.com> In-Reply-To: <40FE4367.AA7B0A7F@freebsd.org> References: <20040720021237.GA74977@scylla.towardex.com> <40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com> <40FE4367.AA7B0A7F@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre, > > James, > > it just occured to me; but what is the purpose of versrcreach denying a > packet that will be discarded a few cycles later anyway? When I mark > a route with -reject I want the ICMPs go out and still use the versrcreach > functionality in ipfw. The point is to have uRPF loose-check *drop* the packets sourced from IP's that are null-routed. A null route would discard the packet destined *to* the null route, but it would never drop a packet *sourced* with an IP within the null route. uRPF should not emit an ICMP when it drops a -reject route. Even with ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source that triggered uRPF drop condition cannot be trusted as it may have spoofed the packet. -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040721114455.GA47249>