Date: Fri, 29 Aug 2003 14:45:55 +0200 From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> To: <freebsd-ipfw@freebsd.org> Subject: verrevpath - denies local multicast. Is this intended? Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help
when using verrevpath it seems to drop local multicast packets suck as = RIP2. i use it as suggested; deny log ip from any to any not verrevpath logentry: Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP = 80.86.140.54:520 224.0.0.9:520 in via fxp1 i read in /sys/netinet/ip_fw2.c: /* * The 'verrevpath' option checks that the interface that an IP packet * arrives on is the same interface that traffic destined for the * packet's source address would be routed out of. This is a measure * to block forged packets. This is also commonly known as = "anti-spoofing" * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The * name of the knob is purposely reminisent of the Cisco IOS command, * * ip verify unicast reverse-path * * which implements the same functionality. But note that syntax is * misleading. The check may be performed on all IP packets whether = unicast, * multicast, or broadcast. */ does this mean it should deny multicast and broadcasts or that it = really should=20 verify that the multicast path is correct?=20 i'm a little confused since it does allow dhcp (broadcast) to function. - Sten
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F07DF28>