Re: Request for comments: iptables script for use on laptops.
* Quoting LeVA (email@example.com):
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
> any rule with an ip address matching is useless. No? If I set up my firewall
> to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting
> to a port (eg. smtp), then anyone can spoof that too. So what's the point of
> creating rules? :)
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule is ok, IMHO.