Differences between version 6 and predecessor to the previous major change of ReversePathFiltering.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 6 | Last edited on Tuesday, June 1, 2004 9:52:03 pm | by CraigBox | Revert |
| Older page: | version 5 | Last edited on Wednesday, November 26, 2003 4:27:42 pm | by CraigBox | Revert |
@@ -30,43 +30,32 @@
Router#show ip interface
<<Interface-type>> <<interface-num>> is up, line protocol is up
Internet address is xxx.xxx.xxx.xxx/xx
Broadcast address is xxx.xxx.xxx.xxx
- Address determined by non-volatile memory
- MTU is 1500 bytes
- Helper address is not set
- Directed broadcast forwarding is disabled
- Outgoing access list is internet_out
- Inbound
access list is internet_in
- Proxy ARP is disabled
- Local Proxy ARP is disabled
- Security level is default
- Split horizon is enabled
- ICMP redirects are never sent
- ICMP unreachables are never sent
- ICMP mask replies are never sent
- IP fast switching is enabled
- IP fast switching on the same interface is disabled
- IP Flow switching is disabled
- IP CEF switching is enabled
- IP CEF Feature Fast switching turbo vector
- IP multicast fast switching is enabled
- IP multicast distributed fast switching is disabled
- IP route-cache flags are Fast, CEF
- Router Discovery is disabled
- IP output packet accounting is disabled
- IP access violation accounting is disabled
- TCP/IP header compression is disabled
- RTP/IP header compression is disabled
- Probe proxy name replies are disabled
- Policy routing is disabled
- Network address translation is disabled
- WCCP Redirect outbound is disabled
- WCCP Redirect inbound is disabled
+ ...snip...
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
__IP verify source reachable-via RX, allow default__
__4 verification drops__
__0 suppressed verification drops__
-----
+João from Brazil writes:
+
+Hi
+nice article, but what you wrote here:
+
+''Reverse patch filtering (often abbreviated rp_filter) is a feature in the Linux networking system that checks incoming packets against the routing table, and if the source of a packet (the destination for it's reply) would not go out the interface that the packet came in on, it will be dropped.''
+
+is not entirely correct. Important is that in tcp/ip a packet does not come in and then goes out ... it may go through a firewall but this is not touched by rpf
+
+tcp/ip is not ping-pong, somebody sends a packet and gets an answer perhaps, but never the packet comes back
+
+in fact rpf do only check if the origin of the packet is routable from this interface and if not it discard it, so it handles mostly issues with faked IPs in fact
+
+rpf do not know who asked for this packet, means it do not care who send the initial requisition, this would be handled by dynamic fw rules.
+
+I guess that makes us InNeedOfRefactor. Aristotle, what do you know? ;)
+
+----
+
CategoryNetworking
