From: Ralf Spenneberg <lists@spenneberg.org>
To: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
Cc: "Geffrey Velásquez" <g_netfilter@netfids.com>,
Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Protecting against DoS
Date: 09 Dec 2003 19:16:38 +0100 [thread overview]
Message-ID: <1070993798.18225.96.camel@kermit> (raw)
In-Reply-To: <1070992891.1867.19.camel@jasiiitosh.nexusmgmt.com>
Hi,
Am Die, 2003-12-09 um 19.01 schrieb John A. Sullivan III:
> > > echo 1 > /proc/sys/net/ipv4/tcp_syncookies -- if you have not compiled
> >
> >
> > Is that valid for forwarded packets? or only destinated to the firewall?
This is valid only for local packets.
> We have avoided using these /proc settings for just that concern - that
> they are mostly for the gateway itself and not for the devices being
> protected by it whether it is anti-spoofing with rp_filter or protecting
> against syn_floods. Is this assumption of ours true? Thanks, all - John
Actually it depends. Most just concern local packets, but
rp_filter and accept_source_route for example tests for all packets.
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: VPN mit Linux
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
next prev parent reply other threads:[~2003-12-09 18:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-09 19:11 Protecting against DoS Geffrey Velásquez
2003-12-09 18:01 ` John A. Sullivan III
2003-12-09 18:16 ` Ralf Spenneberg [this message]
2003-12-09 18:41 ` John A. Sullivan III
-- strict thread matches above, loose matches on Subject: below --
2003-12-09 15:43 Pasi Kärkkäinen
2003-12-09 16:02 ` Michael Gale
2003-12-09 16:28 ` Pasi Kärkkäinen
2003-12-09 16:40 ` Michael Gale
2003-12-09 16:51 ` Pasi Kärkkäinen
2003-12-09 17:06 ` Michael Gale
2003-12-09 17:13 ` Pasi Kärkkäinen
2003-12-09 19:20 ` Geffrey Velásquez
2003-12-09 20:10 ` Arnt Karlsen
2003-12-10 16:53 ` Pasi Kärkkäinen
2004-01-11 1:50 ` Peter Frischknecht
2004-01-26 10:45 ` Pasi Kärkkäinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1070993798.18225.96.camel@kermit \
--to=lists@spenneberg.org \
--cc=g_netfilter@netfids.com \
--cc=john.sullivan@nexusmgmt.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.