Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Aug 2003 14:45:55 +0200
From:      =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <>
To:        <>
Subject:   verrevpath - denies local multicast. Is this intended?
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

when using verrevpath it seems to drop local multicast packets suck as =
i use it as suggested; deny log ip from any to any not verrevpath

Aug 29 14:32:08 <> fictious /kernel: ipfw: 1011 Deny UDP = in via fxp1

i read in /sys/netinet/ip_fw2.c:

 * The 'verrevpath' option checks that the interface that an IP packet
 * arrives on is the same interface that traffic destined for the
 * packet's source address would be routed out of. This is a measure
 * to block forged packets. This is also commonly known as =
 * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
 * name of the knob is purposely reminisent of the Cisco IOS command,
 *   ip verify unicast reverse-path
 * which implements the same functionality. But note that syntax is
 * misleading. The check may be performed on all IP packets whether =
 * multicast, or broadcast.

 does this mean it should deny multicast and broadcasts or that it =
really should=20
 verify that the multicast path is correct?=20

 i'm a little confused since it does allow dhcp (broadcast) to function.

- Sten

Want to link to this message? Use this URL: <>