Re: Request for comments: iptables script for use on laptops.
LeVA said:
> But if one can spoof 127.0.0.1, then one can spoof anything else, so
> creating any rule with an ip address matching is useless. No?
It's not totally useless but gives only a minor level of protection,
i.e. it helps against attacks without spoofing :)
> If I set up my firewall to accept only my local network (eg.
> -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
> anyone can spoof that too. So what's the point of creating rules? :)
This is ok. You simply need some more "anti-spoofing" rules.
You can allow packets from 127.0.0.1 only if they come from the loopback
interface. And you may want to discard packets coming from the internal
network card, if they don't have an approriate IP address.
Here is an example: http://www.sns.ias.edu/~jns/files/iptables_ruleset
--
Michel Messerschmidt, lists@michel-messerschmidt.de
$ rpm -q --whatrequires linux
no package requires linux
Reply to: