Re: IPFW2 versrcreach update
From: Andre Oppermann (andre_at_freebsd.org)
Date: 07/21/04
- Previous message: James: "Re: IPFW2 versrcreach update"
- In reply to: James: "Re: IPFW2 versrcreach update"
- Next in thread: James: "Re: IPFW2 versrcreach update"
- Reply: James: "Re: IPFW2 versrcreach update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 21 Jul 2004 13:53:28 +0200 To: James <james@towardex.com>
James wrote:
>
> Andre,
>
> >
> > James,
> >
> > it just occured to me; but what is the purpose of versrcreach denying a
> > packet that will be discarded a few cycles later anyway? When I mark
> > a route with -reject I want the ICMPs go out and still use the versrcreach
> > functionality in ipfw.
>
> The point is to have uRPF loose-check *drop* the packets sourced from IP's that
> are null-routed. A null route would discard the packet destined *to* the null
> route, but it would never drop a packet *sourced* with an IP within the null
> route.
Yea, sorry, you are right. Wasn't really up to speed this morning... ;-)
> uRPF should not emit an ICMP when it drops a -reject route. Even with
> ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source
> that triggered uRPF drop condition cannot be trusted as it may have spoofed the
> packet.
Ok, I'll go ahead and commit this to ipfw2 later today.
-- Andre _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: James: "Re: IPFW2 versrcreach update"
- In reply to: James: "Re: IPFW2 versrcreach update"
- Next in thread: James: "Re: IPFW2 versrcreach update"
- Reply: James: "Re: IPFW2 versrcreach update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
