[nycbug-talk] FreeBSD Dual homed
swygue
swygue at gmail.com
Thu Dec 20 23:45:39 EST 2007
On Dec 20, 2007 11:17 PM, Lonnie Olson <lists at kittypee.com> wrote:
> On Dec 20, 2007, at 2:24 PM, Rodrique Heron wrote:
> > # ifconfig -a
> > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > inet 150.210.240.36 netmask 0xffffff00 broadcast
> > 150.210.240.255
> > em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > inet 150.210.160.243 netmask 0xffffff00 broadcast
> > 150.210.160.255
>
> > # netstat -rn -f inet
> > Routing tables
> > Internet:
> > Destination Gateway Flags Refs Use Netif
> > Expire
> > default 150.210.160.254 UGS 0 415 em1
> > 150.210.160/24 link#2 UC 0 0 em1
> > 150.210.240/24 link#1 UC 0 0 em0
>
> You could have a problem with your ISP using some sort of anti IP
> spoofing measures.
> An SSH connection to 150.210.240.36 would not work in that case.
>
> The incoming packets will come in on the em0 interface as expected,
> but outgoing packets will travel out of the em1 interface. All
> routing decisions are solely based on the destination address, and
> have nothing to do with the source address. And you default route is
> 150.210.160.254 which lies on the em1 interface.
>
> Anti IP spoofing measures would cause a problem here. In general your
> ISP could be filtering traffic coming from your em1 interface that
> does not have a source address of 150.210.160.0/24. Probably the
> same as filtering traffic coming from em0 that does not have a source
> of 150.210.240.0/24. This type of filtering can be fairly common,
> since it is rarely problematic, easy to implement, and reduces lots of
> abuse.
>
> If this is the case, connections to 150.210.160.243 should work fine.
> Solutions to this problem are having your ISP allow both subnets on
> both interfaces, or using some other magic to make routing decisions
> based on source address.
>
> If this isn't the case, it may take some tcpdump'ing to watch the
> traffic on the interfaces to see what is really happening.
>
Lonnie-
I think you are onto something here, this makes allot of sense to me.
> --lonnie
>
>
--
swygue neron --->>
More information about the talk
mailing list