On Tue, 2003-12-02 at 19:39, Tom Eastep wrote: > On Tue, 2 Dec 2003, Tom Eastep wrote: > > Shorewall currently does no checking for spoofed output packets (and > > probably won't in the future). > > By "output", I mean packets originating on the firewall itself. If the > firewall system itself is rooted, then what that system's packet filter > does in response is immaterial and any firewall designer who worries about > that problem is an idiot.
Tom, Agreed. > In terms of traffic passing through a Shorewall firewall, Shorewall itself > has no concept of "input" and "output" or "inside" or "outside". So the > Shorewall-generated ruleset applies exactly the same checks on all traffic > being forwarded by the firewall system regardless of which direction you > perceive the traffic as flowing (assuming that you apply options like > 'routefilter' symetrically). Ah. This is what I was looking for. So, there is probably a rule that can be generated to stop spoofed packets from egressing the protected LAN. Thanks for the information. As usual it was helpful and timely. :-) -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
