[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
hi simon, yeah you're right from what i've read, anti-spoofing is looked after in the routing code - check # cat /proc/sys/net/ipv4/conf/all/rp_filter should produce an output of '1' but - i will certainly add it as a specific rule - and also protect the loopback device with ipchains -A input -i ppp0 -s 192.168.0.0/255.255.0.0 -j DENY ipchains -A input -i ppp0 -s 10.0.0.0/255.0.0.0 -j DENY -> er and the other one... you know - the other private network range which no-one uses :o) no harm with two lines of defense! thanks for the help kev Simon Waters wrote: > John Horne wrote: > > > As such you won't even be able to > > fiddle ipchains to try and determine your IP address when starting. You may > > need to connect to the ISP, get the IP address, put that into ipchains and > > then restart it. Messy, probably automatable, but again it may well work :-) > > You can specify rules based on interface, but since Demon > allocate static IP addresses I've never done this in anger. > > Block everything, and then allowing in the stuff from the > Internet. If people are allowed to do things from the Internet, > it is usually safe to let local IP addresses do the same thing! > > Then allow the other things using only the local static IP > addresses, and make sure that any packets arriving on the ppp0 > interface with source addresses that ought to be inside are > blocked (Although I think Linux does some antispoofing by > default lets not rely on it). > > -- > The Mailing List for the Devon & Cornwall LUG > Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the > message body to unsubscribe. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.