On Tue, 2003-11-18 at 13:03, Troy Aden wrote:
> I think there may be a bug in Bering-uClibc_2.0-rc2. I am currently still
> working through this IPSec configuration and I discovered the following
> warning when IPSec loads on boot up:
>
> >>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> /proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0.
>
> >>>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> I did as I was asked in the procedure:
>
> >>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> Important
> You must not turn on route filtering for any interfaces involved in ipsec.
> The "Bering recommended" way to turn this off is to use the
> /etc/network/options file and change the "spoofprotect" parameter to "no"
>
> >>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> But the only way I can set this value to zero is to manually go into
> /proc/sys/net/ipv4/conf/eth0/rp_filter and set the value to zero. After I do
> this and do a full backup of Bering (the "all Except log" 'L' option) and
> reboot. The changes have not been backed up.
>
> Can anyone please tell me how to back up the changes I make to
> /proc/sys/net/ipv4/conf/eth0/rp_filter?
>
> Thanks in advance!
There are several problems here.
a) The advice that /proc/sys/net/ipv4/conf/eth0/rp_filter should be zero
is bogus. I ran an IPSEC tunnel with that flag set to 1 for over a year
with no problems other than an annoying message when IPSEC started. You
*might* see problems if /proc/sys/net/ipv4/conf/all/rp_filter is also
set (that's required to actually perform route-based filtering on those
interfaces whose flag is also set).
b) There is another way in which that flag can be turned on:
/etc/shorewall/interfaces -- routefilter option.
c) /proc has no backing store; it is a file system materialized in
memory with no disk underneath it. So it is impossible to back up that
setting in the literal sense. What you rather need to do is to change
those config files that cause the flag to be set to 1 (such as
/etc/network/options and /etc/shorewall/interfaces) then back up THOSE
files.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
