Re: PROPOSAL: simple masquerading and filtering firewall setup

[Joel Klecker <jk@espy.org>]

At 07:13 -0700 1998-07-27, Raul Miller wrote:
>netbase already has some "don't spoof my addresses when talking to me"
>rules, but last time I checked it just protects 127.0.0.1, and has
>commented out rules that would use `hostname -i` to protect the primary
>interface address.

Note that for 2.1 kernels (which will be in 2.2), IP spoofing protection is
automagically enabled by /etc/init.d/netbase for every interface.

    # This is the best method: turn on Source Address Verification and get
    # spoof protection on all current and future interfaces.
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        echo -n "Setting up IP spoofing protection..."
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
            echo 1 > $f
        done
        echo "done."
--
Joel "Espy" Klecker    Debian GNU/Linux Developer    <mailto:jk@espy.org>
<http://www.espy.org/>                          <ftp://ftp.espy.org/pub/>


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org