Penguin
Recent Changes
Note: You are viewing an old revision of this page. View the current version.

(Paraphrased from the excellent Linux Advanced Routing and Traffic Control HOWTO):

Reverse patch filtering (often abbreviated rp_filter) is a feature in the Linux networking system that checks incoming packets against the routing table, and if the source of a packet (the destination for it's reply) would not go out the interface that the packet came in on, it will be dropped.

By default, a router routes everything - even packets which 'obviously' don't belong on your network. For example, if you have an internal interface of 10.4.0.0/24, you don't expect a packet from 202.49.46.2 to come in on that interface. If it did, your reply would be routed out your default gateway, and it could well be the beginnings of a networking exploit.

Lots of people will want to turn this feature off, so the Kernel hackers have made it easy. There are files in /proc where you can tell the kernel to do this for you. The method is called "Reverse Path Filtering". Basically, if the reply to this packet wouldn't go out the interface this packet came in, then this is a bogus packet and should be ignored.

If a packet arrived on your Linux router on eth1 claiming to come from the eth0 subnet, it would be dropped. Similarly, if a packet came from the eth0 subnet, claiming to be from somewhere outside your firewall, it would be dropped also.

The above is full reverse path filtering. The default is to only filter based on IPs that are on directly connected networks. This is because the full filtering breaks in the case of asymmetric routing (where packets come in one way and go out another, like satellite traffic, or if you have dynamic (bgp, ospf, rip) routes in your network. The data comes down through the satellite dish and replies go back through normal land-lines).

If this exception applies to you (and you'll probably know if it does) you can simply turn off the rp_filter on the interface where the satellite data comes in. If you want to see if any packets are being dropped, the log_martians file in the same directory will tell the kernel to log them to your syslog.

This is implemented by the "if_feature rp_filter" option in PerrysFirewallingScript.