verrevpath - denies local multicast. Is this intended?
Sten Daniel Sørsdal
sten.daniel.sorsdal at wan.no
Fri Aug 29 05:48:27 PDT 2003
when using verrevpath it seems to drop local multicast packets suck as RIP2.
i use it as suggested; deny log ip from any to any not verrevpath
logentry:
Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP 80.86.140.54:520 224.0.0.9:520 in via fxp1
i read in /sys/netinet/ip_fw2.c:
/*
* The 'verrevpath' option checks that the interface that an IP packet
* arrives on is the same interface that traffic destined for the
* packet's source address would be routed out of. This is a measure
* to block forged packets. This is also commonly known as "anti-spoofing"
* or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The
* name of the knob is purposely reminisent of the Cisco IOS command,
*
* ip verify unicast reverse-path
*
* which implements the same functionality. But note that syntax is
* misleading. The check may be performed on all IP packets whether unicast,
* multicast, or broadcast.
*/
does this mean it should deny multicast and broadcasts or that it really should
verify that the multicast path is correct?
i'm a little confused since it does allow dhcp (broadcast) to function.
- Sten
More information about the freebsd-ipfw
mailing list