Re: IP Spoofing

["David C. Hart" <DCH@TQMcube.com>]

[-- Attachment #1: Type: text/plain, Size: 1847 bytes --]

On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> I would add an input established on that as well, makes it easier to do
> upgrades.
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Hi Ted:

If you have a moment, could you please explain (for the comparative IPT
nitwits - including me) what that does?
> 
> I wish everyone did implicit DROP's, it would make the web a safer
> place.

IBID

Thanks
> 
> :-)
> 
> 
> 
> Ted
> 
> 
> On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> > 
> > > Thanks Antony...
> > >
> > > Do you have a script or something where I can find protection rules?
> > 
> > You tell us what protection you want and we can suggest some rules to do it.
> > 
> > There's no single "magic ruleset" for netfilter / iptables which "protects 
> > your network", otherwise every distribution would include it as standard.
> > 
> > It depends what you want to do.
> > 
> > A good starting point is:
> > 
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> > 
> > That will allow nothing in or out of the firewall machine itself, and will 
> > allow all access from your internal network to the Internet, blocking 
> > everything except reply packets from the Internet to your network.
> > 
> > I do not recommend that you simply implement the above rules before you 
> > understand what they are designed to do.
> > 
> > Check Oskar Andreasson's excellent tutorial for more information about this 
> > sort of configuration, or any of the other documentation at 
> > http://www.netfilter.org
> > 
> > Antony.
> 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]