IPFW2 versrcreach update
Andre Oppermann
andre at freebsd.org
Wed Jul 21 04:53:28 PDT 2004
James wrote:
>
> Andre,
>
> >
> > James,
> >
> > it just occured to me; but what is the purpose of versrcreach denying a
> > packet that will be discarded a few cycles later anyway? When I mark
> > a route with -reject I want the ICMPs go out and still use the versrcreach
> > functionality in ipfw.
>
> The point is to have uRPF loose-check *drop* the packets sourced from IP's that
> are null-routed. A null route would discard the packet destined *to* the null
> route, but it would never drop a packet *sourced* with an IP within the null
> route.
Yea, sorry, you are right. Wasn't really up to speed this morning... ;-)
> uRPF should not emit an ICMP when it drops a -reject route. Even with
> ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source
> that triggered uRPF drop condition cannot be trusted as it may have spoofed the
> packet.
Ok, I'll go ahead and commit this to ipfw2 later today.
--
Andre
More information about the freebsd-net
mailing list