Differences

This shows you the differences between two versions of the page.

--- doc:appunti:net:source_routing [2025/10/07 10:42] – niccolo
+++ doc:appunti:net:source_routing [2025/10/07 10:56] (current) – [Firewall dual homed e source routing con Shorewall] niccolo
@@ Line 154: / Line 154: @@
   * In **''/etc/shorewall/shorewall.conf''** si imposta **ROUTE_FILTER=No**, altrimenti il traffico in uscita dalla eth2 viene filtrato come //martian source//.
   * In **''/etc/shorewall/interfaces''** **NON** ci deve essere l'opzione **routefilter=1** (misura anti-spoofing), per lo stesso motivo di cui sopra. **ATTENZIONE**: Se in ''shorewall.conf'' c'è l'opzione ''ROUTE_FILTER=Yes'', impostare qui ''routefilter=0'' non è sufficiente.
-  * In **''/etc/shorewall/interfaces''** l'opzione **sourceroute=[0|1]** (non accetta/accetta pacchetti source routed dall'interfaccia) è importante? FIXME
+  * In **''/etc/shorewall/interfaces''** è opportuno avere l'opzione **sourceroute=0** (parametro accept_source_route del kernel) sulle interfacce collegate a peer non fidati (connessioni ISP, ecc).
 **''/etc/shorewall/interfaces''**
@@ Line 160: / Line 160: @@
 <file>
 # Dual-homed external interfaces require global ROUTE_FILTER=No in shorewall.conf.
-net    eth0    tcpflags,nosmurfs
+# The safe policy for connections with untrusted peers is to set accept_source_route to 0.
-net    eth2    tcpflags,nosmurfs
+# Notice: source route packets are nonsensical on a PPP link.
-# Enable route filter (rp_filter kernel paramter) on the local interface.
+accept_source_route = 0
+net    eth0    tcpflags,nosmurfs,sourceroute=0
+net    eth2    tcpflags,nosmurfs,sourceroute=0
+# Enable route filter (rp_filter kernel paramter) specifically on the local interface.
 loc    eth1    dhcp,routefilter=1
 </file>