Fw: Firewall Startup Configuration files
> ----- Original Message -----
> From: "Magnus Sundberg" <Magnus.Sundberg@dican.se>
> To: "Peter Robb" <deb@newproject.pl>
> Cc: <debian-firewall@lists.debian.org>
> Sent: Tuesday, November 04, 2003 6:32 PM
> Subject: Re: Firewall Startup Configuration files
>
>
> > Peter Robb wrote:
> <snipped>
> > >
> > >>By the way NAT and DNAT does not protect you from evil neighbours
> > >>at your ISP. One of my internal networks was earlier 192.168.1.0/24.
> > >>An evil neighbour can send a source routed package to my gateway
> > >>further on to one of my internal machines...
> > >>No the ISP does not filter out these addresses, because it is not
> > >>possible in their DSL equipment.
> > >
> > >
> > > That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file
> > >
> > Is this good enough?
> > If the evil person has good adress A and sends a packet to your
> > internal host B via your firewall C.
> > The packet from A will appear at interface a of C, with a fully
> > valid sender address and fully valid recipient address B.
> > I don't understand why the rp filter should reject it.
>
That's the source-routing option in sysctl.conf, yes or no..
ipv4.conf.all.accept_source_routing = 0
>
> >
> >
> > /Magnus
>
Regards,
Peter
Reply to: