1 |
Eric Paynter wrote: |
2 |
> On Thu, October 6, 2005 7:37 pm, Tad Glines said: |
3 |
> |
4 |
>>Most infrastructure routers on the net drop/block packets with source |
5 |
>>route options so spoofing the source IP of a TCP conversation is not |
6 |
>>generally practical over the internet. |
7 |
> |
8 |
> |
9 |
> To be sure, drop source-routed packets at your own firewall too. Don't |
10 |
> rely on "most" infrastructure to do it for you. |
11 |
which is best way to do so, then? i'd use sysctl.conf for this: |
12 |
|
13 |
# Enables source route verification |
14 |
net.ipv4.conf.default.rp_filter = 1 |
15 |
net.ipv4.conf.default.accept_source_route = 0 |
16 |
|
17 |
# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets |
18 |
net.ipv4.conf.all.log_martians = 0 |
19 |
|
20 |
is there any better? |
21 |
|
22 |
regards, |
23 |
Dennis |
24 |
-- |
25 |
gentoo-security@g.o mailing list |