begin quoting Tracy R Reed as of Mon, Aug 07, 2006 at 05:39:23PM -0700: > [EMAIL PROTECTED] wrote: > >Why? I want to deny reserved IP addresses at: > > This is way more trouble than it is worth IMHO.
Oh, go take comfort that there are people out there more paranoid than you are. Don't diss someone else's efforts to reduce their percieved risk*. It's only more trouble than it's worth because nobody has automated the tedious and boring work yet. I was under the impression that you could dynamically remove and add rules from iptables, so that a flush wasn't actually necessary -- when the new list is available, compare the new list to the old list, and add those addresses that are only on the new list, remove those addresses that are only on the old list, and be done. Of course, thinking about it, aren't iptables rules applied *after* the interface comes up? So there's a window-of-attack on reboot, right? Or is this a site-dependent problem? *Unless, of course, you enjoy being raked over the coals for your reasonable decisions, like, say, Win95 advocates lecturing you on how having multiple non-root user accounts is overkill and a waste of time. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
