From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Alexander Samad <alex@samad.com.au>
Cc: netfilter@lists.netfilter.org
Subject: Re: network range
Date: Mon, 05 Apr 2004 07:07:20 -0400 [thread overview]
Message-ID: <1081163239.29905.13.camel@localhost> (raw)
In-Reply-To: <20040404104046.GA2821@samad.com.au>
rp_filter presents some issues when used with Free/Open/StrongSWAN, the
IPSec products. This also gives a more finely grained control of the
process, e.g., the possibility of selectively anti-spoofing. Finally,
because I have not used it (because of the VPN conflict), I'm not sure
if rp_filter applies to only INPUT traffic or also FORWARD traffic. I'm
think the latter but I do not know authoritatively.
Thanks for the comment - John
On Sun, 2004-04-04 at 06:40, Alexander Samad wrote:
> On Sat, Apr 03, 2004 at 05:03:04PM -0500, John A. Sullivan III wrote:
> > On Sat, 2004-04-03 at 15:53, IT Clown wrote:
> --- snip ---
> > I usually implement anti-spoofing in two steps. For both public and
> > private interfaces I set up a rule to drop any packets from the address
> > bound to the interface if it appears on a different interface. Thus:
> > iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
> > iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
>
> Isn't that what rp_filter does ?
>
> > This is to prevent someone from using my own addresses against me.
> >
> --- snip ---
> >
> > Someone else may have a better way but that's how I do it. I use the
> > mangle table rather than filter so that I can drop bad packets ASAP.
> > Good luck - John
> > --
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
> > ---
> > If you are interested in helping to develop a GPL enterprise class
> > VPN/Firewall/Security device management console, please visit
> > http://iscs.sourceforge.net
> >
> >
> >
> >
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
prev parent reply other threads:[~2004-04-05 11:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-03 19:35 network range IT Clown
2004-04-03 20:53 ` IT Clown
2004-04-03 21:32 ` Rob Sterenborg
2004-04-03 22:02 ` John A. Sullivan III
2004-04-03 22:03 ` John A. Sullivan III
2004-04-04 10:40 ` Alexander Samad
2004-04-05 11:07 ` John A. Sullivan III [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1081163239.29905.13.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=alex@samad.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.