From owner-freebsd-ipfw@FreeBSD.ORG  Fri Aug 29 05:48:27 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C8B716A4BF
	for <freebsd-ipfw@freebsd.org>; Fri, 29 Aug 2003 05:48:27 -0700 (PDT)
Received: from exchange.wan.no (exchange.wan.no [80.86.128.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06A7C43FF7
	for <freebsd-ipfw@freebsd.org>; Fri, 29 Aug 2003 05:48:26 -0700 (PDT)
	(envelope-from sten.daniel.sorsdal@wan.no)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 29 Aug 2003 14:45:55 +0200
Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: verrevpath - denies local multicast. Is this intended?
Thread-Index: AcNuK8k6CwcH4c67SFykaoQtDENvOg==
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: <freebsd-ipfw@freebsd.org>
Subject: verrevpath - denies local multicast. Is this intended?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Aug 2003 12:48:27 -0000


when using verrevpath it seems to drop local multicast packets suck as =
RIP2.
i use it as suggested; deny log ip from any to any not verrevpath

logentry:
Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP =
80.86.140.54:520 224.0.0.9:520 in via fxp1

i read in /sys/netinet/ip_fw2.c:

/*
 * The 'verrevpath' option checks that the interface that an IP packet
 * arrives on is the same interface that traffic destined for the
 * packet's source address would be routed out of. This is a measure
 * to block forged packets. This is also commonly known as =
"anti-spoofing"
 * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
 * name of the knob is purposely reminisent of the Cisco IOS command,
 *
 *   ip verify unicast reverse-path
 *
 * which implements the same functionality. But note that syntax is
 * misleading. The check may be performed on all IP packets whether =
unicast,
 * multicast, or broadcast.
 */

 does this mean it should deny multicast and broadcasts or that it =
really should=20
 verify that the multicast path is correct?=20

 i'm a little confused since it does allow dhcp (broadcast) to function.


- Sten