> From: Sten Daniel Sørsdal [mailto:[EMAIL PROTECTED]
> >On Thu, Feb 27, 2003 at 02:02:53PM +0100, Sten Daniel S?rsdal wrote: > >> What i am looking for is a feature that basically > prevents spoofing by looking > >> the route for the source and match the incoming interface. > >> A firewall solves the problem but adds alot of > administrative overhead and > >> leaves room for error. > >Check the net.inet.ip.check_interface sysctl. > >It may be what you're looking for. > >BMS > > Thank you for your reply! > > I havent had a clear explanation of that one (tried the RFC too). > But does this one really stop spoofing for routed packets as well? > > I got some border routers running BGP - three of which have > full internet feed. > Would this block spoofed packets from my network and would it block > incoming source IPs that "come" from nonexistant networks? I think the routers would need to have egress filtering enabled, which isn't all that commonly done. http://www-users.rwth-aachen.de/jens.hektor/security/cisco-acl.html for example. --don To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
