On Sat, Mar 10, 2001 at 05:20:26PM +0000, Jim Breton wrote:
> On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
> >         if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
> >                 goto martian_destination;
> > 
> > This is part of the routing check for incoming packets.  It should take
> > care of the problem being discussed.  :)
> > 
> > (I haven't tested this section of the code, but it should prevent that kind
> > of attack, I think)
> 
> It should yes, however see the recent thread on Bugtraq about this
> issue.
> 
> Also since log_martians is not enabled by default (unless your distro
> does so, and afaict potato at least does not) you will never hear a word
> about these packets.  Logging them would be nice.  Even with
> log_martians enabled, it doesn't tell you anything about the packet
> other than src, dst, and iface.  Further, I'm not sure the martian code
> would stop a packet from landing on an "internal" interface other than
> loopback (again see the Bugtraq discussion) which is why we should (and
> do) filter the destination addresses of incoming packets as well as the
> source addresses.

 Doesn't rp_filter do this, or am I missing something?  It should make the
kernel drop packets coming in on interfaces they shouldn't be, e.g. 10.0.0.0
packets coming from an interface to 192.168.1.0.  (It will break asymmetric
routing setups, where packets do come in on a different interface from the
one replies will be sent on, so you have to do it manually with ipchains for
that case.  Otherwise, you don't even need to compile ipchains into the
kernel for rp_filter to work.)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to