Re: IPFW2 versrcreach update

From: Petri Helenius (pete_at_he.iki.fi)
Date: 07/21/04

  • Next message: James: "Re: IPFW2 versrcreach update" 
    Date: Wed, 21 Jul 2004 20:54:09 +0300
To: James <james@towardex.com>

    James wrote:

    >
    >uRPF should not emit an ICMP when it drops a -reject route. Even with
    >ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source
    >that triggered uRPF drop condition cannot be trusted as it may have spoofed the
    >packet.
    >
    >
    >
    Where would the ICMP go anyway because you either donīt have a route to
    where you would point the packet to or the route points to null.

    Pete

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: James: "Re: IPFW2 versrcreach update"

    Relevant Pages

    • Re: IP FORWARDING IPTABLES
      ... I choose to configure my firewall to route packets in a different ... want to specify the IP of the gateway, ... the command might be more accurate ... but has a "-I" option to use ICMP echos. ...
      (comp.security.firewalls)
    • SUMMARY:what causes modified redirects?
      ... Irene sent me some past post reguarding blocking ICMP redirects, which is what I ended up doing, and all is fine. ... One outstanding issue is knowing the ttl of a route entry. ...
      (Tru64-UNIX-Managers)
    • Re: IP FORWARDING IPTABLES
      ... I choose to configure my firewall to route packets in a different ... except that the '/sbin/route' command has nothing to do with the ... but has a "-I" option to use ICMP echos. ...
      (comp.security.firewalls)
    • Re: IPFW2 versrcreach update
      ... > versrcreach as opposed to verrevpath. ... > source address has a route other than default. ... > The uRPF loose-check implementation by the industry vendors, ...
      (freebsd-net)
    • Re: IPFW2 versrcreach update
      ... > where you would point the packet to or the route points to null. ... ICMP should not happen b/c the source of the route ... run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3 ... If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the ...
      (freebsd-net)