[Cerowrt-devel] Updates to the wiki for 3.10.32-12

Toke Høiland-Jørgensen toke at toke.dk
Mon Mar 24 12:55:54 EDT 2014

Rich Brown <richb.hanover at gmail.com> writes:

> - I have added a BCP38 page to give an overview of that page. A
> question that I haven't seen addressed in the commentary on the list:
> Does this BCP38 implement also filter out spoofed source addresses? (I
> imagine it would, but the pages don't specifically say so.)

It blocks the configured subnets:

- at ingress on one
- at egrees on destination.

I.e. a packet arriving on the WAN interface *from* one of the configured
subnets or a packet departing the WAN interface *towards* one of the
configured subnets will get dropped.

You could presumably still send a packet from the inside with a spoofed
source address, but that source address would then get rewritten by the
NAT filter...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140324/c6775d34/attachment.sig>

More information about the Cerowrt-devel mailing list