* Let me make sure I have this right (fib)
@ 2020-05-28 13:02 Stephen Satchell
2020-05-28 13:13 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Satchell @ 2020-05-28 13:02 UTC (permalink / raw)
To: Linux Netfilter Users List
Objective: to implement the send restrictions for BCP-38.
In FILTER/PREROUTING, FILTER/INPUT, and FILTER/FORWARD, the selectors
"fib saddr type <x>" and "fib saddr oif <x>" lets me examine the
characteristics of the packet's source address, such as BROADCAST,
PROHIBITED, &c.
In FILTER/FORWARD, FILTER/OUTPUT, and FILTER/POSTROUTING, the selector
"fib daddr type <x>" and "oif <x>" lets me examine the characteristics
of the packet's destination address.
Now, for packets generated by a local process, how can I filter packets
with spoofed source addresses? This is to block bad stuff if for some
reason the firewall box is compromised. Earlier comments indicated that
"fib saddr type <x>" and "fib saddr oif <x> are not allowed in the
FILTER/OUTPUT and FILTER/POSTROUTING chains.
Help?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-28 13:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-28 13:02 Let me make sure I have this right (fib) Stephen Satchell
2020-05-28 13:13 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox