[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for comments: iptables script for use on laptops.

2006. május 23. 02:04,
Uwe Hermann <uwe@hermann-uwe.de>
-> George Hein <zweistein@optonline.net>,debian-laptop@lists.debian.org, 
debian-security@lists.debian.org:
> >   iptables -A INPUT  -j ACCEPT -s 127.0.0.1      # local host
> >   iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
> his IP address to appear to be 127.0.0.1 could send _any_ traffic
> to you and you would ACCEPT it, basically rendering the firewall
> useless. Did I miss anything?
>
> The following should be better, as it only allows traffic to/from the
> loopback interface (but not eth0 or what have you)...
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating 
any rule with an ip address matching is useless. No? If I set up my firewall 
to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting 
to a port (eg. smtp), then anyone can spoof that too. So what's the point of 
creating rules? :)

Daniel

-- 
LeVA
Reply to: