[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for comments: iptables script for use on laptops.

2006. május 23. 10:06,
Rolf Kutz <kutz@netcologne.de>
-> debian-security@lists.debian.org,:
> * Quoting LeVA (leva@az.isten.hu):
> > > iptables -A INPUT -i lo -j ACCEPT
> > > iptables -A OUTPUT -o lo -j ACCEPT
> >
> > But if one can spoof 127.0.0.1, then one can spoof anything else, so
> > creating any rule with an ip address matching is useless. No? If I set up
> > my firewall to accept only my local network (eg. -s
> > 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone
> > can spoof that too. So what's the point of creating rules? :)
>
> The script under scrutiny was intended for a
> laptop. A router or firewall setup is something
> different and should not route traffic with
> spoofed addresses.  rp_filter should catch this
> easily, if you can use it. If not, an IP-based
> rule is ok, IMHO.

So sticking with the smtp example, if I have enabled rp_filter, then does it 
matter whether I'm using this:
iptables -A INPUT -p tcp -i lo --dport 25 -j ACCEPT

or this:
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 25 -j ACCEPT


Daniel

-- 
LeVA
Reply to: