From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Chris Brenton <cbrenton@chrisbrenton.org>
Cc: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: Loose source routed IP packets.
Date: Tue, 23 Sep 2003 15:37:23 +0200 [thread overview]
Message-ID: <1064324242.25975.111.camel@raylinux.internal> (raw)
In-Reply-To: <3F704912.6010800@chrisbrenton.org>
[-- Attachment #1: Type: text/plain, Size: 1635 bytes --]
On Tue, 2003-09-23 at 15:22, Chris Brenton wrote:
> Ray Leach wrote:
> >
> > How about :
> > ### don't accept source routed packets
> > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> I keep meaning to do some testing with this but have not had the
> bandwidth. Just wondering if anyone else actually has.
>
> I would expect the above would work fine with strict source routing, but
> I'm not so sure about loose source routing unless the firewall was one
> of the defined jump points.
>
> For example, let's say I know you "trust" some IP address on the
> Internet and permit a greater level of access from it to one of your
> internal systems. I craft the following packet:
>
> source IP = mine
> Dest IP = "trusted" Internet host
> First byte of IP options = 83
> IP in options field = your internal server
>
> In this case none of the IPs are the firewalls so I'm not so sure
> accept_source_route would even be referenced. Does the kernel check the
> size of all IP headers and process the included options even if its not
> the destination IP? I would think it would not for efficiency, but then
> again it might to deal with things like option 7 (record route).
>
> Has anyone tested this either way?
>
I suppose the easy answer is to check the kernel source code.
> Thanks in advance!
> Chris
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
prev parent reply other threads:[~2003-09-23 13:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-23 11:47 Loose source routed IP packets Carles Xavier Munyoz Baldó
2003-09-23 12:12 ` Maciej Soltysiak
2003-09-23 12:31 ` Ray Leach
2003-09-23 13:22 ` Chris Brenton
2003-09-23 13:37 ` Ray Leach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1064324242.25975.111.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=cbrenton@chrisbrenton.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox