[Firehol-support] Dropping localhost src packets.

Goetz Bock bock at blacknet.de
Thu Jan 22 13:29:47 GMT 2004


On Thu, Jan 22 '04 at 11:28, Francis Brosnan Bl?zquez wrote:
> We are recieving ip spoofed packages with 127.0.0.1 as ip source. So, we
> have added the following line before any interface definition to drop
> all incoming traffic from localhost.
> 
> blacklist="localhost"
> interface any BadTraf src "${blacklist}"
> 
> But, after start firehol again, I still able to do a telnet localhost
> 22.
Everything is allowed from localhost to localhost, regardless of what
you specify. 

But the spoofed package should be filtered in the kernel already. But I
can't remember the parameters ... and did not find it in the firehol
source :-( 

.
.
.

maybe rp_filter

google is your friend

# Source-address verification using ingress (1)
# (prevent ingoing spoofing):
#echo "1" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
# Source-address verification using egress (2)
# (prevent outgoing spoofing):
#echo "2" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
# Source-address verification using ingress (1) + egress (2)
# (prevent in/outgoing spoo
echo "3" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /                     (c) 2003 as GNU FDL 1.1
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]




More information about the Firehol-support mailing list