Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Aug 2003 14:45:55 +0200
From:      =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To:        <freebsd-ipfw@freebsd.org>
Subject:   verrevpath - denies local multicast. Is this intended?
Message-ID:  <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net>

Next in thread | Raw E-Mail | Index | Archive | Help

when using verrevpath it seems to drop local multicast packets suck as =
RIP2.
i use it as suggested; deny log ip from any to any not verrevpath

logentry:
Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP =
80.86.140.54:520 224.0.0.9:520 in via fxp1

i read in /sys/netinet/ip_fw2.c:

/*
 * The 'verrevpath' option checks that the interface that an IP packet
 * arrives on is the same interface that traffic destined for the
 * packet's source address would be routed out of. This is a measure
 * to block forged packets. This is also commonly known as =
"anti-spoofing"
 * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
 * name of the knob is purposely reminisent of the Cisco IOS command,
 *
 *   ip verify unicast reverse-path
 *
 * which implements the same functionality. But note that syntax is
 * misleading. The check may be performed on all IP packets whether =
unicast,
 * multicast, or broadcast.
 */

 does this mean it should deny multicast and broadcasts or that it =
really should=20
 verify that the multicast path is correct?=20

 i'm a little confused since it does allow dhcp (broadcast) to function.


- Sten



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F07DF28>