> ----- Original Message ----- > From: "Magnus Sundberg" <[EMAIL PROTECTED]> > To: "Peter Robb" <[EMAIL PROTECTED]> > Cc: <[email protected]> > Sent: Tuesday, November 04, 2003 6:32 PM > Subject: Re: Firewall Startup Configuration files > > > > Peter Robb wrote: > <snipped> > > > > > >>By the way NAT and DNAT does not protect you from evil neighbours > > >>at your ISP. One of my internal networks was earlier 192.168.1.0/24. > > >>An evil neighbour can send a source routed package to my gateway > > >>further on to one of my internal machines... > > >>No the ISP does not filter out these addresses, because it is not > > >>possible in their DSL equipment. > > > > > > > > > That is what the reverse path filter is for, rp_filter, in your > > > /etc/sysctl.conf file > > > > > Is this good enough? > > If the evil person has good adress A and sends a packet to your > > internal host B via your firewall C. > > The packet from A will appear at interface a of C, with a fully > > valid sender address and fully valid recipient address B. > > I don't understand why the rp filter should reject it. > That's the source-routing option in sysctl.conf, yes or no.. ipv4.conf.all.accept_source_routing = 0 > > > > > > > /Magnus > Regards, Peter
