[linux] rp_filter a anti spoofing

Valašťan Štefan stefan.valastan na scp.sk
Pondělí Červenec 8 11:37:48 CEST 2002 

Aha uz som to asi pochopil podla tohoto 

	1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
	            that look as sourced at a directly connected interface,
but
	            were input from another interface.
Ono to hovori ze ak mam na eth0 INTERNET a na eth1 LAN s IP 192.0.0.0/8 tak
potom on filtruje na eth0 len tieto pakety a nie tie z
 172.16.0.0/12 ,10.0.0.0/8 , pochopil som to spravne?

Steve


> -----Původní zpráva-----
> Od:	Martin Mosny [SMTP:mmosny na postel.sk]
> Odesláno:	Monday, July 08, 2002 11:24 AM
> Komu:	Valašťan Štefan
> Předmět:	Re: [linux] rp_filter a anti spoofing
> 
> Hello all,
> 
> Monday, July 8, 2002, 11:00:42 AM, you wrote:
> 
> VŠ> Mohol by mi niekto znaly problematiky vysvetlit ze preco  vo vecsine
> VŠ> iptables scriptov nachadzajucich na internete je rp_filter zapnuty a
> zaroven
> VŠ> je v scriptoch
> 
> It stands fot "Reverse Path". If packets come in on a
> different interface to the one they use to leave, then they are
> discarded.
> 
> 
> resp:
> 
> (networking/ip-sysctl.txt):
>   
>  rp_filter - INTEGER
>         2 - do source validation by reversed path, as specified in RFC1812
>             Recommended option for single homed hosts and stub network
>             routers. Could cause troubles for complicated (not loop free)
>             networks running a slow unreliable protocol (sort of RIP),
>             or using static routes.
> 
>         1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
>             that look as sourced at a directly connected interface, but
>             were input from another interface.
> 
>         0 - No source validation.
> 
> 
> Takze  z  toho  by ti malo byt jasne, co to ten rp_filter je. To ze su
> pridane  dalsie  pravidla,  len  si  "ZABETONUJES" nastavenia, aby ti na
> INETERNET_IFACE  nehodili  pakety  z  dole  uvedenych  IP  adries (vid
> nizsie).
> 
> (Use of most of these special use prefixes open up significant
> opportunities
> for anonymity and ambiguity.)
> 
> VŠ> $IPTABLES -A spoof -s 127.0.0.0/8 -j DROP
> VŠ> $IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
> VŠ> $IPTABLES -A spoof -s 192.168.0.0/16 -j DROP            # RFC1918
> VŠ> $IPTABLES -A spoof -s 172.16.0.0/12 -j DROP             # RFC1918
> VŠ> $IPTABLES -A spoof -s 10.0.0.0/8 -j DROP                  #RFC1918
> VŠ> $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP
> 
> In todays network, it is prudent to control access. In the case of these
> special use prefixes, it is generally a good idea to filter them so they
> do not propagate. After all, you don't want someone else's use of these 
> prefixes to taint your environment. All of these address classes should be
> 
> invalid as source addresses (except where negotiated in advance), and very
> 
> few should be permitted as destination addresses (Multicast for example, 
> should be permitted as a destination, just not as a source).
> 
> 
> neviem, ci ti to pomoze, ale dufam ze aspon trosku :)
> 
> -- 
> Martin (m0s)
> 
> 
> _______________________________________________
> http://lists.linux.sk/listinfo/linux
> http://search.lists.linux.sk

Další informace o konferenci linux