Re: serious flaw exposed via filters (fwd)

Igor V. Semenyuk (iga@sovam.com)
Tue, 17 Sep 1996 22:42:09 +0400 (MSD)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mury Johnson: "Re: PMConsole for windows (fwd)"
Previous message: Jake: "Re: Portmaster Not Asking for Login"

>
>
> One way to eliminate the routing loop is to put a filter on your wan port.
> An outgoing filter can deny any packet that has a destination address of
> your network.

This is a good idea, though I try to stay away from filtering when
simple routing decisions help. But in this case it seems to be the
only viable solution.

>
> Also everybody should have an incomming filter that denys everything with
> source that has your networks address.
>
> If you only have the second one then a packet will make a trip
> through the wan port to the outside router and then back just once.

No. If the looping packet is sourced off your network the incoming
anti-spoofing filter will never block it. Such a filter will behave as
you described only against packets originated in your network.

>
> Krzysztof
>

-- 
Igor V. Semenyuk                    Internet: iga@sovam.com
SOVAM Teleport                      Phone:    +7 095 258 4170
Moscow, Russia                      Fax:      +7 095 258 4133

Next message: Mury Johnson: "Re: PMConsole for windows (fwd)"
Previous message: Jake: "Re: Portmaster Not Asking for Login"