uRPF on FreeBSD
Sten Daniel Sørsdal
sten.daniel.sorsdal at wan.no
Mon Oct 6 05:06:00 PDT 2003
>
> Is there any reverse-path verification feature in FreeBSD kernel?
>
> reverse-path verification as in uRPF (unicast reverse path
> filtering) widely
> used for anti-ip-spoofing.
>
> If it is supported, then does FreeBSD's uPRF implementation
> also allow loose
> and strict check like on Cisco?
>
Yes, IPFW2 has this option implemented as option 'verrevpath'.
ex. deny not verrevpath
man ipfw says:
verrevpath
For incoming packets, a routing table lookup is done on the
packet's source address. If the interface on which the packet
entered the system matches the outgoing interface for the route,
the packet matches. If the interfaces do not match up, the
packet does not match. All outgoing packets or packets with no
incoming interface match.
The name and functionality of the option is intentionally similar
to the Cisco IOS command:
ip verify unicast reverse-path
This option can be used to make anti-spoofing rules.
-- Sten
More information about the freebsd-isp
mailing list