[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for comments: iptables script for use on laptops.

* Quoting LeVA (leva@az.isten.hu):

> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> >
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating 
> any rule with an ip address matching is useless. No? If I set up my firewall 
> to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting 
> to a port (eg. smtp), then anyone can spoof that too. So what's the point of 
> creating rules? :)

The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses.  rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule is ok, IMHO.

- Rolf
Reply to: