julien@csoft.net (Julien Nadeau) writes:
>
> I was initially suggesting that Linux provides a way to drop outgoing
> packets
> with source address that doesn't match any local interface, say using a
> lookup
> table that could be occasionally sorted according to an interface's avg.
> usage;
> i was told that rp_filter drops spoofed packets; i was able to route a
> spoofed
> packet well with an unexisting source address through my router with
> rp_filter
> on an firewall ingress filtering off; the packet arrived to destination.
But it does really does ingress filtering. Are you sure that your routing
tables were correct and that it was really enabled (just echoing
it to conf/all is not enough). Also if you switch it on you need to
flush the routing cache (write something to route/flush), otherwise the
old routing cache entry that was created earlier prevents the source
validation.
-Andi
-- This is like TV. I don't like TV.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:24 EST