rp_filter

  • 0 - No source validation.
  • 1 - Do source validation by reversed path, as specified in RFC1812. Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes.

conf/all/rp_filter must also be set to 1 to do source validation on the interface.

If you set this to 1 on a router that is the only connection for a network to the net, it will prevent spoofing attacks against your internal networks (external addresses can still be spoofed), without the need for additional firewall rules.

The default value is 0, but note that some distributions enable it in startup scripts.