Date: Wed, 12 Mar 2003 12:09:03 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Sten Daniel S?rsdal <sten.daniel.sorsdal@wan.no> Cc: freebsd-net@FreeBSD.org Subject: Re: Source ip route lookup on incoming packets? Message-ID: <20030312200903.GG16143@blossom.cjclark.org> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DE63@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DE63@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote:
>
> Has anyone made any patches to lookup the source ip for a packet to be routed
> so that it comes from the right interface?
> I've heard alot of talk from people going to write patches to do this
> but no patches have turned up and no help from google.
>
> What i am looking for is a feature that basically prevents spoofing by looking
> the route for the source and match the incoming interface.
> A firewall solves the problem but adds alot of administrative overhead and
> leaves room for error.
>
> Is this feature even possible on FreeBSD?
For the sake of the email archive (since I know the post's author is
already aware of this):
Yes this is possible. I just added an option to ipfw(8) to do this. It
is called 'verrevpath.' See the thread "Anti-Spoofing Option" on the
freebsd-ipfw list. Coming soon to a FreeBSD repository near you.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030312200903.GG16143>