nanog mailing list archives
Re: BCP38 on public-facing Ubuntu servers
From: William Herrin <bill () herrin us>
Date: Thu, 3 Jun 2021 07:44:45 -0700
On Wed, Jun 2, 2021 at 2:04 PM Grant Taylor via NANOG <nanog () nanog org> wrote:
On 6/2/21 4:35 AM, Jean St-Laurent via NANOG wrote:Maybe you can explore the in kernel feature call RP filter or reverse path filter. In router gear it's called uRPF. cat /proc/sys/net/ipv4/conf/default/rp_filter+100 to rp_filter
rp_filter is great until your network is slightly less than a perfect hierarchy. Then your Linux "router" starts mysteriously dropping packets and, as with allow_local, Linux doesn't have any way to generate logs about it so you end up with these mysteriously unexplained packet discards matching no conceivable rule in iptables... This failure has too often been the bane of my existence when using Linux for advanced networking. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- BCP38 on public-facing Ubuntu servers Stephen Satchell (Jun 01)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 02)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 02)
- Re: BCP38 on public-facing Ubuntu servers William Herrin (Jun 03)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 03)
- Re: BCP38 on public-facing Ubuntu servers Jay Vosburgh (Jun 04)
- Re: BCP38 on public-facing Ubuntu servers Fran via NANOG (Jun 08)
- Re: BCP38 on public-facing Ubuntu servers Stephen Satchell (Jun 08)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 09)
- Re: BCP38 on public-facing Ubuntu servers Grant Taylor via NANOG (Jun 02)
- RE: BCP38 on public-facing Ubuntu servers Jean St-Laurent via NANOG (Jun 02)