Re: secure installation
On Thu, Aug 16, 2007 at 02:54:16PM +0200, Izak Burger wrote:
> > does it not cover the case of packets arriving at eth0 spoofed as
> > from 127.0.0.1 ?
> Right you are, that slipped my mind.
I asked because I don't remember and I really can't be bothered to
check. These things are tricky and life is short.
> I seem to recall that earlier versions of debian had rp_filter default
> to 1 (I see sarge still has this, you set spoofprotect=yes in
> /etc/network/options, and afaik it defaults to yes).
> I agree with the rest of the sentiment on the list though. I like
> lean installs. I like to use a product called "firehol" to build my
> (admittedly very simple) firewalls, but I will never advocate that it
> be installed by default. I'd absolutely hate it if someone forced me
> to install shorewall because they think I need to be protected from
> myself. I think that is what most people are trying to say.
All I'm saying is, would it be possible to have a single simple
option that users could *elect* to take, that wasn't the default,
that wasn't bending anyones life out of shape, marked "Novice User"
or something :-)