LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-13-2004, 03:28 PM   #1
kishku
LQ Newbie
 
Registered: Oct 2004
Location: California, USA
Distribution: Debian
Posts: 2

Rep: Reputation: 0
rp_filter and dropping of ICMP packets from martian sources


The TCP/IP stack in my 2.4.18 debian linux system has Reverse Path Filtering (rp_filter) turned on by default. This makes it drop all incoming IP packets from sources which are not in its routing tables. The dropped packets include ICMP error packets destined to the local node such as the ICMP Datagram Too Large error message used for path MTU discovery.

I have a host route to a remote system through a gateway. The Ethernet interfaces on the local system and remote system have MTU set to 1500. A router along the way to the remote system has one interface at an MTU of 1442 and sends back an ICMP Datagram Too Large error packet as per RFC1191. Since I don't have a route set for that router, the ICMP error packet is dropped and my system fails to do path MTU discovery.

Is the dropping of ICMP error packets from "unknown" sources (sources without a matching routing table entry) a bug in the Reverse Path Filtering implementation or is it an intended consequence? Should ICMP error packets destined to the local node be accepted regardless of the rp_filter setting?

I am thinking of turning off rp_filter to make the path MTU discovery work correctly.

Thanks,

- Krish -

Last edited by kishku; 10-14-2004 at 02:59 PM.
 
Old 10-19-2004, 05:33 PM   #2
kishku
LQ Newbie
 
Registered: Oct 2004
Location: California, USA
Distribution: Debian
Posts: 2

Original Poster
Rep: Reputation: 0
I would like to know if turning off rp_filter on a system inside the corporate LAN presents a grave security risk. I am assuming that the corporate firewall will protect the interior server.

Does anyone know of any risk specifically introduced by the turning off of rp_filter on a server that cannot be protected by a firewall outside the server?

Thanks.
 
Old 10-19-2004, 09:06 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I normally recommend leaving rp_filter on unless absolutely necessary. Turning it off inside the LAN is less of a risk than doing so on a border firewall, but it still is a risk. While the border firewall may block the vast majority of spoofing attempts, rp_filter can still catch hosts inside the LAN that are compromised and spitting out malicious packets in the LAN. Usually your best option is to just fix your routing table and avoid rp_filter problems all together.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
kernel martian sources logs czelaya Linux - Networking 2 07-29-2005 01:47 PM
ICMP Packets coolfrog Linux - Networking 4 12-22-2004 12:10 PM
Interpret ICMP packets SaTaN Linux - Networking 1 01-20-2004 11:23 PM
DENY ICMP Packets joseph Linux - Software 1 10-08-2003 11:03 PM
dropping packets ? jb_li Programming 7 04-14-2003 12:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration