Re: [Users] How critical is rp_filter kernel paramater setting?

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Thu Nov 07 2002 - 23:38:50 CET

• Next message: Ken Bantoft: "Re: [Users] Re: Help with Sonicwall/10 interop with FreeSWAN 1.99"
• Previous message: james_at_jsquared.ca: "*****SPAM***** [Users] Generally confused :-)"
• In reply to: Mogens Valentin: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Next in thread: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Reply: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, 7 Nov 2002, Mogens Valentin wrote:

> Ken Bantoft wrote:
> >
> > On Wed, 6 Nov 2002, Jussi Torhonen wrote:
> >
> > Yup, any interface(s) FreeS/WAN is using for ipsec0/1/2/3 needs it set to
> > 0.
>
> Not nessesarily. There was a discussion starting 09/11/02 on this topic.
> Just did a sweep throgh my archives; Joe Patterson wrote:
> --------
> I wrote up something about this fairly recently (you can see it at
> http://listarchive.nextrieve.com/freeswan//200208/msg00374.html)
>
> The upshot of it is: rp filter will not break subnet-subnet tunnels
> where
> the peer ip address is not within one of the subnets. If, however, you
> add
> a gw-gw tunnel (or gw-sn, or if the peer address is within the protected
> subnet), then it will not only not work with rp_filter turned on, but
> will
> break the otherwise working subnet-subnet tunnel until you turn off
> rp_filter. (it really only needs to be turned off on the underlying
> interface)
> --------
>
> This seems to support this (simplified) setup I maintain:
>
> clients --- vpngateway --- inet --- router --- vpngateway --- servers
> 10.15. masquerade NAT public masquerade 10.3.
> to private
>
> Actually, I have three leftside vpngateways for other client networks,
> which all use dsl.connections, where the vpngateway masquerades public
> to private IP#'s directly; no routers here.
> On all leftside vpngateway's I have rp_filter=1.
> On the rightside, no ingress/egress filtering is activated on the
> (cisco) router, which NAT's public IP# to 10.x addresses. The rightside
> vpngateway merely masq's the internal (six) net's (only one, 10.3., is
> shown).
>

Correct. However, Jussi works for SSH, and posts here regularly
answering questions about SSH Sentinel. In 99% of those, it's GW
-> SN, GW = Single Window [2k|XP], probably roadwarrior too. In these
cases, RP Filter is critical as Joe's posts indicate. My answers tend to
be tailored to the questioner if possible :)

If I were including this in a How-To doc, I'd recommend rp_filter=0, as it
would greatly reduce the # of "Why doesn't it work" questions posted about
this topic, and the error message FreeS/WAN generates during startup.

-- 
Ken Bantoft                The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca            http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"Random numbers should not be generated with a method 
chosen at random."  -- Donald Knuth,
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] Re: Help with Sonicwall/10 interop with FreeSWAN 1.99"
• Previous message: james_at_jsquared.ca: "*****SPAM***** [Users] Generally confused :-)"
• In reply to: Mogens Valentin: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Next in thread: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Reply: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 09 2002 - 05:20:36 CET