Hi,
On Tue, May 23, 2006 at 10:02:33PM -0400, Michael Stone wrote:
(E.g., want to be able to test
without the complexity of an encryption layer, don't want overhead of
encrypting both sides of a local connection, etc.) Aside from that,
yeah, ip addresses shouldn't be used for
Hi,
On Tue, May 23, 2006 at 10:01:46AM +0200, Rolf Kutz wrote:
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface.
Hi,
On Tue, May 23, 2006 at 07:29:44PM +0400, Konstantin Khomoutov wrote:
On Tue, May 23, 2006 at 04:36:31PM +0200, Uwe Hermann wrote:
useless. Did I miss anything?
Kernel shoots any packet it considers as being martian -- e.g. packets
from 127.0.0.0/8 cannot appear on any interface
Hi,
On Wed, May 24, 2006 at 06:52:59AM +0200, Mike Dornberger wrote:
So what can happen? {SYN,ICMP} floods, TCP RST attacks, but the last one is
then just guesswork (assuming the attacker can't see the real traffic at
192.168.0.0/24 else you already have a big problem). Am I missing something?
On Tue, May 23, 2006 at 02:10:19PM +0200, marco.celeri wrote:
yes, i think this allow incoming spoofed traffic to eth0 (or it is
martian?) but the response must follow what found in routing table -
lo interfaces... am i wong?
Yes, but that doesn't necessarily help in the case of a
Hi,
On Tue, May 23, 2006 at 03:40:58PM +0200, Michel Messerschmidt wrote:
LeVA said:
If I set up my firewall to accept only my local network (eg.
-s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
anyone can spoof that too. So what's the point of creating rules? :)
even
Mike Dornberger [EMAIL PROTECTED] wrote:
If I set up my firewall to accept only my local network (eg.
-s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
anyone can spoof that too. So what's the point of creating rules? :)
even if one can spoof the IP, he (= the attacker)
Hi,
You have FORWARD policy set to DROP (not by default but by rule) - you don't
need echo ... /ip_forward
I don't like to log all what it drop, it can make full a partition and it is
not good :)
bye
Your iptables scares me a bit, do we really have to do all that stuff
like echo to
Hi,
On Mon, May 22, 2006 at 03:16:04PM -0700, Vineet Kumar wrote:
echo 1 /proc/sys/net/ipv4/ip_forward
echo 0 /proc/sys/net/ipv4/ip_forward
While I haven't yet gone through the actual content of the script, a
note of style preference:
Personally, I prefer using sysctl -w instead of
Hi,
On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote:
Your iptables scares me a bit, do we really have to do all that stuff
like echo to /proc/sys/ I was a TP professional many years ago
but since the internet I have become a novice, thus running scared.
You don't really
2006. május 23. 02:04,
Uwe Hermann [EMAIL PROTECTED]
- George Hein [EMAIL PROTECTED],debian-laptop@lists.debian.org,
debian-security@lists.debian.org:
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I
* Quoting Uwe Hermann ([EMAIL PROTECTED]):
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his
* Quoting LeVA ([EMAIL PROTECTED]):
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless. No? If I set up my firewall
to accept only my local
* Quoting Michael Stone ([EMAIL PROTECTED]):
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
Hi,
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his IP address to appear to be 127.0.0.1
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:
[...]
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So
LeVA said:
But if one can spoof 127.0.0.1, then one can spoof anything else, so
creating any rule with an ip address matching is useless. No?
It's not totally useless but gives only a minor level of protection,
i.e. it helps against attacks without spoofing :)
If I set up my firewall to
2006. május 23. 10:06,
Rolf Kutz [EMAIL PROTECTED]
- debian-security@lists.debian.org,:
* Quoting LeVA ([EMAIL PROTECTED]):
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
But if one can spoof 127.0.0.1, then one can spoof anything else, so
creating any rule with
Hi,
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawed. If you want something
like that, use strong
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote:
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently
* Uwe Hermann ([EMAIL PROTECTED]) [060521 11:18]:
echo 1 /proc/sys/net/ipv4/ip_forward
echo 0 /proc/sys/net/ipv4/ip_forward
While I haven't yet gone through the actual content of the script, a
note of style preference:
Personally, I prefer using sysctl -w instead of echo /proc/sys. I
Hi everyone,
this is crossposted to debian-laptop and debian-security, as I believe
it is relevant to both.
Today, I have heavily updated my (GPL'd) iptables script which I have been
using for quite a while now to secure my laptop (and various workstations).
The script is available from
23 matches
Mail list logo
