[Firehol-support] Dropping localhost src packets.
Goetz Bock
bock at blacknet.de
Thu Jan 22 13:29:47 GMT 2004
On Thu, Jan 22 '04 at 11:28, Francis Brosnan Bl?zquez wrote:
> We are recieving ip spoofed packages with 127.0.0.1 as ip source. So, we
> have added the following line before any interface definition to drop
> all incoming traffic from localhost.
>
> blacklist="localhost"
> interface any BadTraf src "${blacklist}"
>
> But, after start firehol again, I still able to do a telnet localhost
> 22.
Everything is allowed from localhost to localhost, regardless of what
you specify.
But the spoofed package should be filtered in the kernel already. But I
can't remember the parameters ... and did not find it in the firehol
source :-(
.
.
.
maybe rp_filter
google is your friend
# Source-address verification using ingress (1)
# (prevent ingoing spoofing):
#echo "1" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
# Source-address verification using egress (2)
# (prevent outgoing spoofing):
#echo "2" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
# Source-address verification using ingress (1) + egress (2)
# (prevent in/outgoing spoo
echo "3" > /proc/sys/net/ipv4/conf/<interface>/rp_filter
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2003 as GNU FDL 1.1
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]
More information about the Firehol-support
mailing list