* Need two routers in tandem to implement BGP38?
@ 2021-07-20 13:23 Stephen Satchell
0 siblings, 0 replies; only message in thread
From: Stephen Satchell @ 2021-07-20 13:23 UTC (permalink / raw)
To: Linux Netfilter Users List
Background: Part of the requirements/suggestions of BGP38 is that you
block both inbound and outbound traffic with unroutable source
addresses. The former to protect one's self, the latter to protect the
rest of the world. Also, it appears that rp_filter isn't implemented in
the kernel for IPv6, but I could be mistaken. (I'm also not thrilled
about SEC being "protected".)
Problem: the rp_filter module extension, according to the documentation,
works only in the raw/PREROUTING or mangle/PREROUTING tables. Will the
module also work in, say, mangle/POSTROUTING? That's the first table
that is fed from both the local output path and the forward path.
Bonus: will it work for IPv6 in both raw/PREROUTING and mangle/POSTROUTING?
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-07-20 13:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-20 13:23 Need two routers in tandem to implement BGP38? Stephen Satchell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.