From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marco Gaiarin Date: Mon, 08 Feb 2021 15:15:30 +0000 Subject: Re: Multiple link, policy routing and link not in defaut route... Message-Id: <20210208151530.GO3103@sv.lnf.it> List-Id: References: <20210203181530.GO3370@lilliput.linux.it> In-Reply-To: <20210203181530.GO3370@lilliput.linux.it> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Mandi! cronolog+lartc In chel di` si favelave... > Rather than disable rp_filter (by setting to 0 on all interfaces I presum= e), > what about setting it to 2 for Loose mode instead, and only on the affect= ed > interfaces, so only those interfaces change behaviour? > Loose mode would allow the packet as long as there is a valid route on any > interface, instead of the specific interface it comes in. So as long as a > default route exists anywhere, the packet should pass. Bingo! > Potentially this opens up the interface to spoofed traffic, as it would n= ow > allow traffic with source IP belonging to subnets on your private interfa= ces, > because obviously you would have routes to those too. But that can be so= lved > easily with iptables rules. Generally I block all packets with source in= all > private IP ranges on Internet-facing interfaces, with exceptions if neces= sary > e.g. for external DMZ etc. I do exactly the same things. To at least have notices, i've also enabled 'log_martians'. Many thanks!!! --=20 dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.= it/ Polo FVG - Via della Bont=E0, 7 - 33078 - San Vito al Tagliamento= (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842= 797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)