[linux] rp_filter a anti spoofing
Valašťan Štefan
stefan.valastan na scp.sk
Pondělí Červenec 8 11:37:48 CEST 2002
Aha uz som to asi pochopil podla tohoto
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface,
but
were input from another interface.
Ono to hovori ze ak mam na eth0 INTERNET a na eth1 LAN s IP 192.0.0.0/8 tak
potom on filtruje na eth0 len tieto pakety a nie tie z
172.16.0.0/12 ,10.0.0.0/8 , pochopil som to spravne?
Steve
> -----Původní zpráva-----
> Od: Martin Mosny [SMTP:mmosny na postel.sk]
> Odesláno: Monday, July 08, 2002 11:24 AM
> Komu: Valašťan Štefan
> Předmět: Re: [linux] rp_filter a anti spoofing
>
> Hello all,
>
> Monday, July 8, 2002, 11:00:42 AM, you wrote:
>
> VŠ> Mohol by mi niekto znaly problematiky vysvetlit ze preco vo vecsine
> VŠ> iptables scriptov nachadzajucich na internete je rp_filter zapnuty a
> zaroven
> VŠ> je v scriptoch
>
> It stands fot "Reverse Path". If packets come in on a
> different interface to the one they use to leave, then they are
> discarded.
>
>
> resp:
>
> (networking/ip-sysctl.txt):
>
> rp_filter - INTEGER
> 2 - do source validation by reversed path, as specified in RFC1812
> Recommended option for single homed hosts and stub network
> routers. Could cause troubles for complicated (not loop free)
> networks running a slow unreliable protocol (sort of RIP),
> or using static routes.
>
> 1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
> that look as sourced at a directly connected interface, but
> were input from another interface.
>
> 0 - No source validation.
>
>
> Takze z toho by ti malo byt jasne, co to ten rp_filter je. To ze su
> pridane dalsie pravidla, len si "ZABETONUJES" nastavenia, aby ti na
> INETERNET_IFACE nehodili pakety z dole uvedenych IP adries (vid
> nizsie).
>
> (Use of most of these special use prefixes open up significant
> opportunities
> for anonymity and ambiguity.)
>
> VŠ> $IPTABLES -A spoof -s 127.0.0.0/8 -j DROP
> VŠ> $IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
> VŠ> $IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918
> VŠ> $IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918
> VŠ> $IPTABLES -A spoof -s 10.0.0.0/8 -j DROP #RFC1918
> VŠ> $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP
>
> In todays network, it is prudent to control access. In the case of these
> special use prefixes, it is generally a good idea to filter them so they
> do not propagate. After all, you don't want someone else's use of these
> prefixes to taint your environment. All of these address classes should be
>
> invalid as source addresses (except where negotiated in advance), and very
>
> few should be permitted as destination addresses (Multicast for example,
> should be permitted as a destination, just not as a source).
>
>
> neviem, ci ti to pomoze, ale dufam ze aspon trosku :)
>
> --
> Martin (m0s)
>
>
> _______________________________________________
> http://lists.linux.sk/listinfo/linux
> http://search.lists.linux.sk
Další informace o konferenci linux