RE: uRPF on FreeBSD
From: Sten Daniel Sørsdal (sten.daniel.sorsdal_at_wan.no)
Date: 10/06/03
- Previous message: Tom: "Re: uRPF on FreeBSD"
- Maybe in reply to: Haesu: "uRPF on FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 6 Oct 2003 14:02:52 +0200 To: "Haesu" <haesu@towardex.com>, <freebsd-isp@freebsd.org>
>
> Is there any reverse-path verification feature in FreeBSD kernel?
>
> reverse-path verification as in uRPF (unicast reverse path
> filtering) widely
> used for anti-ip-spoofing.
>
> If it is supported, then does FreeBSD's uPRF implementation
> also allow loose
> and strict check like on Cisco?
>
Yes, IPFW2 has this option implemented as option 'verrevpath'.
ex. deny not verrevpath
man ipfw says:
verrevpath
For incoming packets, a routing table lookup is done on the
packet's source address. If the interface on which the packet
entered the system matches the outgoing interface for the route,
the packet matches. If the interfaces do not match up, the
packet does not match. All outgoing packets or packets with no
incoming interface match.
The name and functionality of the option is intentionally similar
to the Cisco IOS command:
ip verify unicast reverse-path
This option can be used to make anti-spoofing rules.
-- Sten
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Tom: "Re: uRPF on FreeBSD"
- Maybe in reply to: Haesu: "uRPF on FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
