Hi,
You have FORWARD policy set to DROP (not by default but by rule) - you don't
need echo ... /ip_forward
I don't like to log all what it drop, it can make full a partition and it is
not good :)
bye
Your iptables scares me a bit, do we really have to do all that stuff
like echo to
Hi,
On Mon, May 22, 2006 at 03:16:04PM -0700, Vineet Kumar wrote:
echo 1 /proc/sys/net/ipv4/ip_forward
echo 0 /proc/sys/net/ipv4/ip_forward
While I haven't yet gone through the actual content of the script, a
note of style preference:
Personally, I prefer using sysctl -w instead of
Hi!
I'm experiencing this problem:
After my server has lost it's internet connection, I can not ssh to it from
our local network.
I get this in the auth.log:
sshd[10746]: Did not receive identification string from :::192.168.0.3
But that is all, I can not notice anything else in the log
Hi,
On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote:
Your iptables scares me a bit, do we really have to do all that stuff
like echo to /proc/sys/ I was a TP professional many years ago
but since the internet I have become a novice, thus running scared.
You don't really
Hi,
On Mon, May 15, 2006 at 08:49:36PM +0200, Javier Fernández-Sanguino Peña wrote:
Please see
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv
and the preceeding paragraph:
If you want to keep some services but use them rarely, use the
update-commands,
2006. május 23. 02:04,
Uwe Hermann [EMAIL PROTECTED]
- George Hein [EMAIL PROTECTED],debian-laptop@lists.debian.org,
debian-security@lists.debian.org:
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I
* Quoting Uwe Hermann ([EMAIL PROTECTED]):
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his
* Quoting LeVA ([EMAIL PROTECTED]):
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless. No? If I set up my firewall
to accept only my local
* Quoting Michael Stone ([EMAIL PROTECTED]):
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
Martin Schulze wrote:
The following vulnerability matrix shows which version of MySQL in
which distribution has this problem fixed:
woodysargesid
mysql3.23.49-8.15n/a n/a
mysql-dfsg n/a
On Mon, May 15, 2006 at 10:27:00PM -0700, Vineet Kumar wrote:
echo This daemon has been disabled
exit 0
near the top of the init.d scripts :)
using a /etc/default/daemon
DAEMON=disable
and a small check in the init.d script is what lots of packages actually do.
I
Hi,
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his IP address to appear to be 127.0.0.1
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:
[...]
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So
LeVA said:
But if one can spoof 127.0.0.1, then one can spoof anything else, so
creating any rule with an ip address matching is useless. No?
It's not totally useless but gives only a minor level of protection,
i.e. it helps against attacks without spoofing :)
If I set up my firewall to
2006. május 23. 10:06,
Rolf Kutz [EMAIL PROTECTED]
- debian-security@lists.debian.org,:
* Quoting LeVA ([EMAIL PROTECTED]):
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
But if one can spoof 127.0.0.1, then one can spoof anything else, so
creating any rule with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I'm currently setting up a bridge on Debian, which is meant to act as
an invisible filter in our network which is otherwise directly exposed
to the internet (every host directly reachable from the internet, no
NAT or anything like that).
I
Hi,
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawed. If you want something
like that, use strong
Christian Holler schrieb:
Hello,
I'm currently setting up a bridge on Debian, which is meant to act as
an invisible filter in our network which is otherwise directly exposed
to the internet (every host directly reachable from the internet, no
NAT or anything like that).
I found a good Debian
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote:
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently
20 matches
Mail list logo