Re: IP spoofing protection
I wondered about the same thing...
BTW, imasq as install has almost no firewall capability unless
you add script to it. But they have cure script to autodetect
ethernet ports.
Anyway, I ended up adding several firewall scripts in ipmas style
scripts and put them in the /etc/ipmasq/rules directory.
You can see my script in www.aokiconsulting.com/pub.
After doing so, I feel like it may be easier all script in one file.
Too many small scripts.
Osamu
On Tue, Jan 09, 2001 at 03:11:09AM +0100, Carel Fellinger wrote:
> I sent the following to debian-firewall, but noone reacted, so I try here.
>
> =========================
>
> Hai and a jolly new year,
>
> I'm in the process of switching from pmfirewall to ipmasq. I've read
> a lot, and now I'm confused:)
>
> I thought rp_filter was supposed to prevent ip spoofing, but ipmasq
> still adds rules like:
>
> ipchains -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
> ipchains -A input -j DENY -i ! eth1 -s 192.168.1.1/255.255.255.0 -l
>
> Am I correct in assuming this is only done to get the logging?
>
> The second point of confusion is here:
>
> ipchains -A output -j DENY -i ! eth1 -d 192.168.1.1/255.255.255.0 -l
>
> Is this just the routing being checked by ipchains rules? Am I correct
> in assuming this would be useless on a well configured machine?
>
> --
> groetjes, carel
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
--
+ Osamu Aoki <debian@aokiconsulting.com>, GnuPG-key: 1024D/D5DE453D +
+ Fingerprint: 814E BD64 3288 40E7 E88E 3D92 C3F8 EA94 D5DE 453D +
+ === http://www.aokiconsulting.com ======= Cupertino, CA USA === +
Reply to: