[feature] ipfw verrevpath/versrcreach?
Olivier Warin
daffy at xview.net
Fri Dec 30 16:34:45 PST 2005
Hi,
This feature will help to mitigate DoS atttacks, I vote for :-)
verrevpath & versrcreach are references to Cisco Revers Path
Forwarding algorithm and was first time cited in RFC1812.
I would add that, AFAIK, the partial implementation, antispoof,
(which is unable to make the distinction between "strict" & "loose"
modes) prevents pf to be used on Internet eXchange Points, in an ISP-
ISP environment (because of asymmetric routing).
Maybee recent commits in pf related to openbgpd change this ?
Regards,
Le 31 déc. 05 à 00:50, Łukasz Bromirski a écrit :
> Hi all,
>
> Is there by any chance work being done on pf to include functionality
> that is present in FreeBSD ipfw, that checks if packet entered
> router via correct interface as pointed out by routing table?
>
> I know there is antispoof, but it's simple check of connected network
> and interface address, not full lookup to routing table contents.
> On ipfw it's called verrevpath (checking if routing table points
> for this source IP to the interface it came on) and versrcreach
> (the same but default and blackhole routes don't count).
>
> --
> this space was intentionally left blank | Łukasz
> Bromirski
> you can insert your favourite quote here |
> lukasz:bromirski,net
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
--
Olivier Warin - http://xview.net
Stay connected !
More information about the freebsd-pf
mailing list