Re: secure installation
> does it not cover the case of packets arriving at eth0 spoofed as
> from 127.0.0.1 ?
Right you are, that slipped my mind.
I seem to recall that earlier versions of debian had rp_filter default
to 1 (I see sarge still has this, you set spoofprotect=yes in
/etc/network/options, and afaik it defaults to yes).
I agree with the rest of the sentiment on the list though. I like
lean installs. I like to use a product called "firehol" to build my
(admittedly very simple) firewalls, but I will never advocate that it
be installed by default. I'd absolutely hate it if someone forced me
to install shorewall because they think I need to be protected from
myself. I think that is what most people are trying to say.