[Cerowrt-devel] Updates to the wiki for 3.10.32-12
Toke Høiland-Jørgensen
toke at toke.dk
Mon Mar 24 12:55:54 EDT 2014
Rich Brown <richb.hanover at gmail.com> writes:
> - I have added a BCP38 page to give an overview of that page. A
> question that I haven't seen addressed in the commentary on the list:
> Does this BCP38 implement also filter out spoofed source addresses? (I
> imagine it would, but the pages don't specifically say so.)
It blocks the configured subnets:
- at ingress on one
- at egrees on destination.
I.e. a packet arriving on the WAN interface *from* one of the configured
subnets or a packet departing the WAN interface *towards* one of the
configured subnets will get dropped.
You could presumably still send a packet from the inside with a spoofed
source address, but that source address would then get rewritten by the
NAT filter...
-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140324/c6775d34/attachment.sig>
More information about the Cerowrt-devel
mailing list