Hi, On Tue, May 23, 2006 at 10:01:46AM +0200, Rolf Kutz wrote: > > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host > > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 > > > > Correct me if I'm wrong, but I think this would also allow incoming > > traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing > > his IP address to appear to be 127.0.0.1 could send _any_ traffic > > to you and you would ACCEPT it, basically rendering the firewall > > useless. Did I miss anything? > > Maybe this: > > | echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter Um, no. The line is from my own script, but the one from George Hein (which I was referring to) does not have that line. Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org
Attachment:
signature.asc
Description: Digital signature