Eric Paynter wrote: > On Thu, October 6, 2005 7:37 pm, Tad Glines said: > >>Most infrastructure routers on the net drop/block packets with source >>route options so spoofing the source IP of a TCP conversation is not >>generally practical over the internet. > > > To be sure, drop source-routed packets at your own firewall too. Don't > rely on "most" infrastructure to do it for you. which is best way to do so, then? i'd use sysctl.conf for this:
# Enables source route verification net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 # Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 is there any better? regards, Dennis -- [email protected] mailing list
