Hello world,
(cf Bug#104569)
RFC1812 says that Internet routers should have the ability to avoid
source address spoofing (eg, sending something that appears to be from
a private LAN address through your firewall's public internet connection),
but must not enable it by default.
netbase provides such spoof protection, and enables it by default. It also
disables IP forwarding by default, effectively putting Debian machines
into the category of Internet host rather than Internet router, under
the terms of RFC1812.
I'm strongly disinclined to change the default behaviour of netbase at
all. I could conceivably change it so that it would ask if you wanted to
be an Internet host or an Internet router, and change the policy to match
the rfc on those grounds, but I'm disinclined to do that too: in most
cases routers are specifically where you want the spoof protection most.
OTOH, I'm also disinclined to deliberately break an rfc's "must not".
Thoughts?
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``_Any_ increase in interface difficulty, in exchange for a benefit you
do not understand, cannot perceive, or don't care about, is too much.''
-- John S. Novak, III (The Humblest Man on the Net)
Attachment:
pgpKnKhEQGGN4.pgp
Description: PGP signature