verrevpath - denies local multicast. Is this intended?
Crist J. Clark
cristjc at comcast.net
Thu Sep 4 21:49:52 PDT 2003
On Fri, Aug 29, 2003 at 02:45:55PM +0200, Sten Daniel S?rsdal wrote:
>
> when using verrevpath it seems to drop local multicast packets suck as RIP2.
> i use it as suggested; deny log ip from any to any not verrevpath
>
> logentry:
> Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP 80.86.140.54:520 224.0.0.9:520 in via fxp1
What does,
# route get 80.86.140.54
Return? If it's fxp1, I'm not sure what might be going wrong.
> i read in /sys/netinet/ip_fw2.c:
>
> /*
> * The 'verrevpath' option checks that the interface that an IP packet
> * arrives on is the same interface that traffic destined for the
> * packet's source address would be routed out of. This is a measure
> * to block forged packets. This is also commonly known as "anti-spoofing"
> * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
> * name of the knob is purposely reminisent of the Cisco IOS command,
> *
> * ip verify unicast reverse-path
> *
> * which implements the same functionality. But note that syntax is
> * misleading. The check may be performed on all IP packets whether unicast,
> * multicast, or broadcast.
> */
>
> does this mean it should deny multicast and broadcasts or that it really should
> verify that the multicast path is correct?
The _only_ thing it does is check that the interface a packet arrives
on is the same interface that it would route out of to reach the source
address of the packet. All that matters in this case is where
80.86.140.54 gets routed to.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-ipfw
mailing list