Loading...

Knowledge Center


Reverse path forwarding in Web Gateway with the strict mode reverse path forwarding filter
Technical Articles ID:   KB89395
Last Modified:  5/31/2017
Rated:


Environment

McAfee Web Gateway (MWG) 7.7.2 and later

Summary

With the release of MWG version 7.7.2, McAfee has improved product security by enabling strict mode reverse path forwarding (rp_filter) according to RFC3704.
With this improvement, packets are only accepted when the outgoing route is the same as the incoming route. Both must follow the same path.

NOTE: This change affects only a small fraction of McAfee customers because only specific network setups are affected

Solution

The following network setups are excluded from strict mode reverse path filtering:
  • WCCP
  • Proxy L2 transparent
  • Transparent bridge
  • Transparent router
  • Proxy mode and ip spoofing enabled
  • Proxy HA
MWG supports three different settings for rp_filter:
rp_filter Implements
0 No source validation
1 Strict Reverse Path Forwarding (as defined in RFC3704)
The source address is looked up in the Forwarding Information Base (FIB), and if the packet is received on the interface that would also forward the packet, it is allowed to pass. Otherwise the packet will be dropped.
2 Loose Reverse Path Forwarding (as defined in RFC3704)
In contrast to the Strict mode, this mode checks only for the existence of a route, not where exactly the route points to. If the route is found, the packet is allowed to pass.
 
To configure this functionality:
  1. Select the File Editor tab and highlight sysctl.conf.
  2. Click Edit.
  3. Locate the entry:

    ### END AUTOGENERATED CONFIG
     
  4. Add the line:

    net.ipv4.conf.all.rp_filter =
     
  5. Set the mode:
    • To enable loose mode, set the line as: net.ipv4.conf.all.rp_filter = 2
       
    • To enable Strict Reverse Path Forwarding, set the line as: net.ipv4.conf.all.rp_filter = 1
       
    • To disable the source validation completely, set the line as: net.ipv4.conf.all.rp_filter = 0
       
  6. Save the changes.

    NOTE: If you deploy a proxy mode setup with asymmetric routing, you may experience issues. In this case you may want to enable loose mode or, if this does not help, disable the source validation completely.
For example, to modify sysctl.conf to disable the source validation:

Rate this document

Affected Products

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.