> From Documentation/networking/ip_sysctl.txt: > > rp_filter - INTEGER > 0 - No source validation. > 1 - Strict mode as defined in RFC3704 Strict Reverse Path > Each incoming packet is tested against the FIB and if the > interface is not the best reverse path the packet check > will fail. > By default failed packets are discarded. > 2 - Loose mode as defined in RFC3704 Loose Reverse Path > Each incoming packet's source address is also tested > against the FIB and if the source address is not reachable > via any interface the packet check will fail. > > Current recommended practice in RFC3704 is to enable strict mode > to prevent IP spoofing from DDos attacks. If using asymmetric > routing or other complicated routing, then loose mode is > recommended. > > conf/all/rp_filter must also be set to non-zero to do source > validation on the interface > > Default value is 0. Note that some distributions enable it > in startup scripts. > Interesting read, thanks! So, I am better off with routefilter=1 than routefilter=2 as the checks applied are more stringent? There was another reason I asked this question - I need to know what to do with my other machines where no shorewall (but other) firewall is deployed?
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
