When reverse-path filtering is enabled, a Plixer Scrutinizer Collector is able to receive flows from IP addresses that it is unable to route to normally, such as non-local hosts whose traffic data is forwarded by a proxy or replication appliance.
This configuration should only be used when the Plixer Scrutinizer server/Collector is both in a secure environment and using a single interface.
In multi-interface/multi-homed scenarios and/or where strict networking practices are observed, the recommendations in RFC 3704 should be followed. This ensures that spoofed/forged packets cannot be used to generate responses that are sent out over a different interface.
Enabling reverse-path filtering¶
To enable reverse-path filtering on a Plixer Scrutinizer Collector, find the following line in
net.ipv4.conf.default.rp_filter = 1
And change its value from
In addition, the following steps are also recommended:
To bypass having to restart networking after editing the file, run the command
sysctl net.ipv4.conf.default.rp_filter = 0to turn reverse-path filtering on.
Verify that the routing tables include routing data for all networks to be monitored to ensure that flows can be collected from non-local address spaces.
VRF (Virtual Routing and Forwarding) Mode¶
In some scenarios, such as when there are special security requirements or if the management network IP addresses overlap with collection-side interfaces, routing tables may need to be isolated from the management network.
Separate routing tables can be created to isolate management traffic to the management interface, so collection and polling traffic only impact their respective interfaces.
Sample routing table configuration
This example outlines the steps to configure two separate routing tables called
public corresponding to interfaces
eth1 on a Plixer Scrutinizer deployment.
Add the two routing tables to
/etc/iproute2/rt_tablesafter the line
# # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 1 public 2 plixer
Create the files
/etc/sysconfig/network-scripts/containing the following lines to define the default gateway for each table:
default via 172.16.2.20 table plixer
default via 10.1.1.251 table public
Add the gateway for each interface in
ifcfg-eth1(no other changes are necessary) as follows:
DEVICE="eth0" BOOTPROTO="none" HWADDR="" NM_CONTROLLED="yes" ONBOOT="yes" BOOTPROTO="none" PEERDNS=no TYPE="Ethernet" NETMASK=255.255.255.0 IPADDR=172.16.2.7 GATEWAY=172.16.2.20
DEVICE="eth1" BOOTPROTO="none" HWADDR="" NM_CONTROLLED="yes" ONBOOT="yes" BOOTPROTO="none" PEERDNS=no TYPE="Ethernet" NETMASK=255.255.0.0 IPADDR=10.1.4.190 GATEWAY=10.1.1.251
Reboot the server to restart networking.
Verify that networking is functioning and confirm that IP tables are configured to accept or deny the correct traffic on each interface.