Hi,
This feature will help to mitigate DoS atttacks, I vote for :-)
verrevpath & versrcreach are references to Cisco Revers Path
Forwarding algorithm and was first time cited in RFC1812.
I would add that, AFAIK, the partial implementation, antispoof,
(which is unable to make the distinction between "strict" & "loose"
modes) prevents pf to be used on Internet eXchange Points, in an ISP-
ISP environment (because of asymmetric routing).
Maybee recent commits in pf related to openbgpd change this ?
Regards,
Le 31 déc. 05 à 00:50, Łukasz Bromirski a écrit :
Hi all,
Is there by any chance work being done on pf to include functionality
that is present in FreeBSD ipfw, that checks if packet entered
router via correct interface as pointed out by routing table?
I know there is antispoof, but it's simple check of connected network
and interface address, not full lookup to routing table contents.
On ipfw it's called verrevpath (checking if routing table points
for this source IP to the interface it came on) and versrcreach
(the same but default and blackhole routes don't count).
--
this space was intentionally left blank | Łukasz
Bromirski
you can insert your favourite quote here |
lukasz:bromirski,net
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Olivier Warin - http://xview.net
Stay connected !
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
