Reverse-path filtering

When reverse-path filtering is enabled, a Plixer Scrutinizer Collector is able to receive flows from IP addresses that it is unable to route to normally, such as non-local hosts whose traffic data is forwarded by a proxy or replication appliance.

This configuration should only be used when the Plixer Scrutinizer server/Collector is both in a secure environment and using a single interface.

Important

In multi-interface/multi-homed scenarios and/or where strict networking practices are observed, the recommendations in RFC 3704 should be followed. This ensures that spoofed/forged packets cannot be used to generate responses that are sent out over a different interface.

Enabling reverse-path filtering

To enable reverse-path filtering on a Plixer Scrutinizer Collector, find the following line in /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter = 1

And change its value from 1 to 0.

In addition, the following steps are also recommended:

• To bypass having to restart networking after editing the file, run the command sysctl net.ipv4.conf.default.rp_filter = 0 to turn reverse-path filtering on.

• Verify that the routing tables include routing data for all networks to be monitored to ensure that flows can be collected from non-local address spaces.

VRF (Virtual Routing and Forwarding) Mode

In some scenarios, such as when there are special security requirements or if the management network IP addresses overlap with collection-side interfaces, routing tables may need to be isolated from the management network.

Separate routing tables can be created to isolate management traffic to the management interface, so collection and polling traffic only impact their respective interfaces.

Sample routing table configuration

This example outlines the steps to configure two separate routing tables called plixer and public corresponding to interfaces eth0 and eth1 on a Plixer Scrutinizer deployment.

1. Add the two routing tables to /etc/iproute2/rt_tables after the line #1 inr.ruhep:

   #
   # reserved values
   #
   255 local
   254 main
   253 default
   0 unspec
   #
   # local
   #
   #1 inr.ruhep
   1 public
   2 plixer
   

2. Create the files route-eth0 and route-eth1 under /etc/sysconfig/network-scripts/ containing the following lines to define the default gateway for each table:

   route-eth0

   default via 172.16.2.20 table plixer
   

   route-eth1

   default via 10.1.1.251 table public
   

3. Add the gateway for each interface in /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 (no other changes are necessary) as follows:

   ifcfg-eth0

        DEVICE="eth0"
        BOOTPROTO="none"
   HWADDR=""
   NM_CONTROLLED="yes"
   ONBOOT="yes"
   BOOTPROTO="none"
   PEERDNS=no
   TYPE="Ethernet"
   NETMASK=255.255.255.0
   IPADDR=172.16.2.7
        GATEWAY=172.16.2.20
   

   ifcfg-eth1

   DEVICE="eth1"
   BOOTPROTO="none"
   HWADDR=""
   NM_CONTROLLED="yes"
   ONBOOT="yes"
   BOOTPROTO="none"
   PEERDNS=no
   TYPE="Ethernet"
   NETMASK=255.255.0.0
   IPADDR=10.1.4.190
   GATEWAY=10.1.1.251
   

4. Reboot the server to restart networking.

5. Verify that networking is functioning and confirm that IP tables are configured to accept or deny the correct traffic on each interface.