Fw: Firewall Startup Configuration files

To: <debian-firewall@lists.debian.org>
Subject: Fw: Firewall Startup Configuration files
From: "Peter Robb" <deb@newproject.pl>
Date: Tue, 4 Nov 2003 20:39:29 +0100
Message-id: <[🔎] 008201c3a30b$5d370340$0201a8c0@newproject.pl>

> ----- Original Message ----- 
> From: "Magnus Sundberg" <Magnus.Sundberg@dican.se>
> To: "Peter Robb" <deb@newproject.pl>
> Cc: <debian-firewall@lists.debian.org>
> Sent: Tuesday, November 04, 2003 6:32 PM
> Subject: Re: Firewall Startup Configuration files
> 
> 
> > Peter Robb wrote:
> <snipped>
> > > 
> > >>By the way NAT and DNAT does not protect you from evil neighbours
> > >>at your ISP. One of my internal networks was earlier 192.168.1.0/24.
> > >>An evil neighbour can send a source routed package to my gateway
> > >>further on to one of my internal machines...
> > >>No the ISP does not filter out these addresses, because it is not
> > >>possible in their DSL equipment.
> > > 
> > > 
> > > That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file
> > > 
> > Is this good enough?
> > If the evil person has good adress A and sends a packet to your 
> > internal host B via your firewall C.
> > The packet from A will appear at interface a of C, with a fully 
> > valid sender address and fully valid recipient address B.
> > I don't understand why the rp filter should reject it.
> 
That's the source-routing option in sysctl.conf, yes or no..
ipv4.conf.all.accept_source_routing = 0
> 
> > 
> > 
> > /Magnus
> 
 Regards,
Peter

Reply to:

Prev by Date: Re: Firewall Startup Configuration files
Next by Date: Logging
Previous by thread: Re: Firewall Startup Configuration files
Next by thread: Unidentified subject!
Index(es):
- Date
- Thread