rp_filter (was Re: is iptables enough?)

To: debian-security@lists.debian.org
Cc:
Subject: rp_filter (was Re: is iptables enough?)
From: Blars Blarson <blarson@blars.org>
Date: Fri, 21 Mar 2003 12:20:21 -0800
Message-id: <[🔎] 200303212020.h2LKKL3R025258@renig.nat.blars.org>
In-reply-to: <[🔎] 435C366F075ED211B12200204840172D05869350@petitsuix.coe.int>

In article <[🔎] 435C366F075ED211B12200204840172D05869350@petitsuix.coe.int> 
Vincent.DEFFONTAINES@coe.int writes:
>Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
>interface lo, and drop 
>non-routable stuff coming from public interface.

for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
	echo 1 >/proc/sys/net/ipv4/conf/${dev}/rp_filter
done

Much better than trying to put such stuff in iptables.  This changes with
your routing tables, and you don't need to duplicate them.
-- 
Blars Blarson			blarson@blars.org
				http://www.blars.org/blars.html
"Text is a way we cheat time." -- Patrick Nielsen Hayden

Reply to:

References:
- RE: is iptables enough?
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>

Prev by Date: Re: determining which patches to apply...
Next by Date: Re: determining which patches to apply...
Previous by thread: RE: is iptables enough?
Next by thread: fw distros - Re: is iptables enough? (fwd)
Index(es):
- Date
- Thread