Hi,
On Wed, May 24, 2006 at 06:52:59AM +0200, Mike Dornberger wrote:
> So what can happen? {SYN,ICMP} floods, TCP RST attacks, but the last one is
> then just guesswork (assuming the attacker can't see the real traffic at
> 192.168.0.0/24 else you already have a big problem). Am I missing somethin
Hi,
On Tue, May 23, 2006 at 07:29:44PM +0400, Konstantin Khomoutov wrote:
> On Tue, May 23, 2006 at 04:36:31PM +0200, Uwe Hermann wrote:
>
> >>> useless. Did I miss anything?
> >> Kernel shoots any packet it considers as being "martian" -- e.g. packets
> >> from 127.0.0.0/8 cannot appear on any i
Hi,
On Tue, May 23, 2006 at 10:01:46AM +0200, Rolf Kutz wrote:
> > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
> >
> > Correct me if I'm wrong, but I think this would also allow incoming
> > traffic from 127.0.0.1 to the eth0 i
Hi,
On Tue, May 23, 2006 at 10:02:33PM -0400, Michael Stone wrote:
> (E.g., want to be able to test
> without the complexity of an encryption layer, don't want overhead of
> encrypting both sides of a local connection, etc.) Aside from that,
> yeah, ip addresses shouldn't be used for authentica
Mike Dornberger <[EMAIL PROTECTED]> wrote:
>> > If I set up my firewall to accept only my local network (eg.
>> > -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
>> > anyone can spoof that too. So what's the point of creating rules? :)
>
> even if one can spoof the IP, he (= th
Hi,
On Tue, May 23, 2006 at 03:40:58PM +0200, Michel Messerschmidt wrote:
> LeVA said:
> > If I set up my firewall to accept only my local network (eg.
> > -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
> > anyone can spoof that too. So what's the point of creating rules? :)
On Tue, May 23, 2006 at 02:10:19PM +0200, marco.celeri wrote:
yes, i think this allow incoming spoofed traffic to eth0 (or it is
"martian?") but the response must follow what found in routing table ->
lo interfaces... am i wong?
Yes, but that doesn't necessarily help in the case of a single-pa
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote:
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawe
Hi,
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
> any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawed. If you want something
like that, use strong cryptogr
2006. május 23. 10:06,
Rolf Kutz <[EMAIL PROTECTED]>
-> debian-security@lists.debian.org,:
> * Quoting LeVA ([EMAIL PROTECTED]):
> > > iptables -A INPUT -i lo -j ACCEPT
> > > iptables -A OUTPUT -o lo -j ACCEPT
> >
> > But if one can spoof 127.0.0.1, then one can spoof anything else, so
> > creating
LeVA said:
> But if one can spoof 127.0.0.1, then one can spoof anything else, so
> creating any rule with an ip address matching is useless. No?
It's not totally useless but gives only a minor level of protection,
i.e. it helps against attacks without spoofing :)
> If I set up my firewall to ac
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:
[...]
>> iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
>> iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. S
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule i
Hi,
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
> his IP address to appear to be 127.0.
* Quoting Michael Stone ([EMAIL PROTECTED]):
> On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
> >The script under scrutiny was intended for a
> >laptop. A router or firewall setup is something
> >different and should not route traffic with
> >spoofed addresses. rp_filter should catch
* Quoting LeVA ([EMAIL PROTECTED]):
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> >
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
> any rule with an ip address matching is useless. No? If I set up my firewall
> to accept only my
* Quoting Uwe Hermann ([EMAIL PROTECTED]):
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
2006. május 23. 02:04,
Uwe Hermann <[EMAIL PROTECTED]>
-> George Hein <[EMAIL PROTECTED]>,debian-laptop@lists.debian.org,
debian-security@lists.debian.org:
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong,
Hi,
On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote:
> Your iptables scares me a bit, do we really have to do all that stuff
> like "echo to /proc/sys/...". I was a TP professional many years ago
> but since the internet I have become a novice, thus running scared.
You don't really
Hi,
On Mon, May 22, 2006 at 03:16:04PM -0700, Vineet Kumar wrote:
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > echo 0 > /proc/sys/net/ipv4/ip_forward
>
> While I haven't yet gone through the actual content of the script, a
> note of style preference:
>
> Personally, I prefer using sysctl -w in
Hi,
You have FORWARD policy set to DROP (not by default but by rule) -> you don't
need "echo ... /ip_forward"
I don't like to log all what it drop, it can make full a partition and it is
not good :)
bye
> Your iptables scares me a bit, do we really have to do all that stuff
> like "echo to /
* Uwe Hermann ([EMAIL PROTECTED]) [060521 11:18]:
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
While I haven't yet gone through the actual content of the script, a
note of style preference:
Personally, I prefer using sysctl -w instead of echo > /proc/sys. I
p
Hi everyone,
this is crossposted to debian-laptop and debian-security, as I believe
it is relevant to both.
Today, I have heavily updated my (GPL'd) iptables script which I have been
using for quite a while now to secure my laptop (and various workstations).
The script is available from http://ww
23 matches
Mail list logo