[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

> does it not cover the case of packets arriving at eth0 spoofed as
> from 127.0.0.1 ?

Right you are, that slipped my mind.

I seem to recall that earlier versions of debian had rp_filter default
to 1 (I see sarge still has this, you set spoofprotect=yes in
/etc/network/options, and afaik it defaults to yes).

I agree with the rest of the sentiment on the list though.  I like
lean installs.  I like to use a product called "firehol" to build my
(admittedly very simple) firewalls, but I will never advocate that it
be installed by default.  I'd absolutely hate it if someone forced me
to install shorewall because they think I need to be protected from
myself.  I think that is what most people are trying to say.
Reply to: