Mailing List Archive

1 2  View All
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Dave Strydom wrote:

> You know what would be seriously awesome, is if they have a type of
> RBL listing for this kind of thing, and you could just link your
> iptables up to the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with
> the latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave

That will never happen. The reason being stated plenty of times over,
but I'll state them again:

* Many of those addresses are from dynamic IPs

* Some may be using fake IPs that you login from, it would suck to have
you banned from your own server

* if anybody can submit to an RBL you would have the whole world added
to that RBL in no time because somebody will get the bright idea to do so.

In short, bad idea.

Kyle
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Which brings me back to my original idea, of only allowing your IP's to
connect to SSH on your servers, and just drop everything else, problem
solved.



On 10/4/05, Kyle Lutze <kyle@randomvoids.com> wrote:
>
> Dave Strydom wrote:
>
> You know what would be seriously awesome, is if they have a type of RBL
> listing for this kind of thing, and you could just link your iptables up to
> the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203<http://209.50.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203<http://209.50.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with the
> latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave
>
> That will never happen. The reason being stated plenty of times over, but
> I'll state them again:
>
> * Many of those addresses are from dynamic IPs
>
> * Some may be using fake IPs that you login from, it would suck to have
> you banned from your own server
>
> * if anybody can submit to an RBL you would have the whole world added to
> that RBL in no time because somebody will get the bright idea to do so.
>
> In short, bad idea.
>
> Kyle
>
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Hello Kirk,
Is there IPtables based port knocker?
I dislike idea opening ports for this purpose because they can be distinguished by some way.
Promiscuous mode port knockers consume a lot of processor and
I don't think it's good for production server.

KH> A port knocker of some sort is a much more secure solution that will
KH> allow you to block all unwanted IP's but still allow for dynamic
KH> addresses. There are port knockers that listen on various ports and
KH> work like a combination lock to open the port, and there are others that
KH> use a more secure one time pad "magic packet" kind of authentication to
KH> open the port for your IP. It is more work to setup, but it is more
KH> secure than just changing the port. Remember a few years ago when ssh
KH> had a remote exploit? You probably shouldn't leave that port open.

--
Best regards,
boger mailto:boger@ttk.ru

--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Yes, there are. I use one for my work servers that is iptables based.
I don't have any links for you unfortunately but I have seen them. If
you are really interested I can probably track down one I saw that used
iptables and was a combination style. I also know of an open source
"magic packet" style that I could probably find a link for if you were
interested.

boger said the following:
> Hello Kirk,
> Is there IPtables based port knocker?
> I dislike idea opening ports for this purpose because they can be distinguished by some way.
> Promiscuous mode port knockers consume a lot of processor and
> I don't think it's good for production server.
>
> KH> A port knocker of some sort is a much more secure solution that will
> KH> allow you to block all unwanted IP's but still allow for dynamic
> KH> addresses. There are port knockers that listen on various ports and
> KH> work like a combination lock to open the port, and there are others that
> KH> use a more secure one time pad "magic packet" kind of authentication to
> KH> open the port for your IP. It is more work to setup, but it is more
> KH> secure than just changing the port. Remember a few years ago when ssh
> KH> had a remote exploit? You probably shouldn't leave that port open.
>
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Dave Strydom wrote:

> Which brings me back to my original idea, of only allowing your IP's
> to connect to SSH on your servers, and just drop everything else,
> problem solved.

Indeed, but please follow RFC and post underneath existing content, much
easier to read :)
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Dave Strydom wrote:
> Which brings me back to my original idea, of only allowing your IP's to
> connect to SSH on your servers, and just drop everything else, problem
> solved.

I do something along those lines. At my firewall/router I have a
rule that blocks private IP (and MS's 169 IP address). Other
addresses are permitted through but all are logged. This script
is on my ssh server for further protection (see below). I used
to do a type of blacklisting (still do) but I haven't had any
new entries since I started using this. BTW, I had a large
number of IP's from China, Korea, Japan, Singapore, Brazil and
a few other Asian countries. So blocking IP's (networks, not
individual IP's) became unmanageable.

Here's what I do (it's been trimmed and I broke the lines with \):

# Allow these site access to my machine
# -state NEW

permit() {
# I want to log just the start of the conversation
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \
--log-level info --log-prefix "iptables permit: " \
--log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT
}

# Deny these sites access to my machine
deny() {
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \
--log-level alert --log-prefix "iptables deny: " \
--log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP
}

# =[ Flush the tables completely ]============================================
/sbin/iptables -F

# =[ Permit list ]============================================================
#permit 127.0.0.0/8 # Local stuff
permit 10.0.0.0/8 # Local stuff
permit 172.16.0.0/12 # Local stuff
permit 192.168.0.0/16 # Local stuff

# =[ Deny list ]==============================================================
deny 0.0.0.0/0 # Deny everyone else


exit 0


--
Linux Home Automation Neil Cherry ncherry@comcast.net
http://home.comcast.net/~ncherry/ (Text only)
http://hcs.sourceforge.net/ (HCS II)
http://linuxha.blogspot.com/ My HA Blog
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Hello Kirk,

I'll appreciate it ;)

Goggling gives a lot of links to libpcap based port knockers, but I dislike idea always running in promiscuous mode. Also "magic packet" is a sort of overkill for me, because I need access from random locations with different OS'es preferably without any additional tools.
If computer is untrusted, after logon I can change knock sequence without leaving any keys behind. Even if password gets compromised is not so dangerous in this scenario.

By iptables based I mean using ulog or ipq to forward packets to knock daemon, thus its undetectable from outside and can be very fast.

About a year ago I tested 5 or 6 port knockers but I didn't find any
suitable for me. Some had terrible cpu usage on my machine,
some not enough flexible configuration.


KH> Yes, there are. I use one for my work servers that is iptables based.
KH> I don't have any links for you unfortunately but I have seen them. If
KH> you are really interested I can probably track down one I saw that used
KH> iptables and was a combination style. I also know of an open source
KH> "magic packet" style that I could probably find a link for if you were
KH> interested.

--
Best regards,
boger mailto:boger@ttk.ru

--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
boger said the following:
> Hello Kirk,
>
> I'll appreciate it ;)
>
> Goggling gives a lot of links to libpcap based port knockers, but I dislike idea always running in promiscuous mode. Also "magic packet" is a sort of overkill for me, because I need access from random locations with different OS'es preferably without any additional tools.
> If computer is untrusted, after logon I can change knock sequence without leaving any keys behind. Even if password gets compromised is not so dangerous in this scenario.
>
> By iptables based I mean using ulog or ipq to forward packets to knock daemon, thus its undetectable from outside and can be very fast.
>
> About a year ago I tested 5 or 6 port knockers but I didn't find any
> suitable for me. Some had terrible cpu usage on my machine,
> some not enough flexible configuration.
>
>
> KH> Yes, there are. I use one for my work servers that is iptables based.
> KH> I don't have any links for you unfortunately but I have seen them. If
> KH> you are really interested I can probably track down one I saw that used
> KH> iptables and was a combination style. I also know of an open source
> KH> "magic packet" style that I could probably find a link for if you were
> KH> interested.
>

It would appear that I was mistaken in thinking that the two I have used
were iptables based. Both are dependent upon libpcap. I was briefly
confused based on the way they have been integrated into the iptables
firewall. For what it is worth, my experiences with libpcap port
knockers has been very favorable. Sorry if that was a bit of a goose chase.
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Hello Kirk,

Wednesday, October 5, 2005, 12:30:16 AM, you wrote:

KH> boger said the following:
>> Hello Kirk,
>>
>> I'll appreciate it ;)
>>
>> Goggling gives a lot of links to libpcap based port knockers,
>> but I dislike idea always running in promiscuous mode. Also "magic
>> packet" is a sort of overkill for me, because I need access from
>> random locations with different OS'es preferably without any
>> additional tools.
>> If computer is untrusted, after logon I can change knock
>> sequence without leaving any keys behind. Even if password gets
>> compromised is not so dangerous in this scenario.
>>
>> By iptables based I mean using ulog or ipq to forward packets
>> to knock daemon, thus its undetectable from outside and can be very
>> fast.
>>
>> About a year ago I tested 5 or 6 port knockers but I didn't find any
>> suitable for me. Some had terrible cpu usage on my machine,
>> some not enough flexible configuration.
>>
>>

KH> It would appear that I was mistaken in thinking that the two I have used
KH> were iptables based. Both are dependent upon libpcap. I was briefly
KH> confused based on the way they have been integrated into the iptables
KH> firewall. For what it is worth, my experiences with libpcap port
KH> knockers has been very favorable. Sorry if that was a bit of a goose chase.

Thanks to Tobias Allen, He offered suitable decision ;)
It's in '[gentoo-security] Port knocking' thread.

Also I reported this method to http://www.portknocking.org.
--
Best regards,
boger mailto:boger@ttk.ru

--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
On Tuesday 04 October 2005 03:55 am, Dave Strydom wrote:
> You know what would be seriously awesome, is if they have a type of RBL
> listing for this kind of thing, and you could just link your iptables up to
> the rbl listings.
...
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with the
> latest listing.

This may not be the best solution pertaining to this particular thread, but
the following site may be of use for this kind of a thing. I would recommend
anyone managing a firewall to at least check it out, as it is a great
resource:
http://www.dshield.org/

If you wanted to perhaps ban the most popular (not to mention annoying) script
kiddies (or ban and not log), you could write some form of a script that
could just grab and parse one of these feeds:
http://www.dshield.org/feeds_doc.php

Then add some rules to your firewall, using whatever means necessary.

HTH,

Robert


--
gentoo-security@gentoo.org mailing list
RE: [OT?] automatically firewalling off IPs [ In reply to ]
These rules only block out the offending IP. All others remain un-blocked.

> -----Original Message-----
> From: Alex Efros [mailto:powerman@sky.net.ua]
> Sent: Sunday, October 02, 2005 3:54 PM
> To: gentoo-security@lists.gentoo.org
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
>
> Hi!
>
> On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> > These are the rules that I'm using.
> >
> > # Track connections to SSH
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> > FIN,ACK \
> > --dport 22 -m recent --name SSH --set
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST
> \
> > --dport 22 -m recent --name SSH --set
> >
> > # Drop if connection rate exceeds 4/minute
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> > --rcheck --seconds 60 --hitcount 4 -j DROP
> >
> > # Drop if connection rate exceeds 20/hour
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> > --rcheck --seconds 3600 --hitcount 20 -j DROP
>
> What about DoS because of these rules? Imagine somebody run SSH
> connections to your host every 10 seconds while you don't have
> already-opened SSH connection to server...... In this case you never
> will have a chance to log in to your server (and fix this issue)?!
>
> --
> WBR, Alex.
> --
> gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tad Glines wrote:
> These rules only block out the offending IP. All others remain un-blocked.

IP spoofing. It isn't that far fetched, really...


- --
[Name ] :: [Matan I. Peled ]
[Location ] :: [Israel ]
[Public Key] :: [0xD6F42CA5 ]
[Keyserver ] :: [keyserver.kjsl.com]
encrypted/signed plain text preferred

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDRNy9A7Qvptb0LKURAhauAJ9eAx9RhXOGfWz2h6BX122ULW1JGgCfTEyT
v+4I9OQxcEWAuuqYenD+ejk=
=PQtc
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Can anyone comment whether IP spoofing (for hiding country of origin) is
common? Seems quite unlikely - at least at the current state of things.
Is it even possible to tell (at the firewall interface?)

BillK

On Thu, 2005-10-06 at 11:13 +0300, Matan Peled wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tad Glines wrote:
> > These rules only block out the offending IP. All others remain un-blocked.
>
> IP spoofing. It isn't that far fetched, really...
>
>
> -
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William Kenworthy wrote:
> Can anyone comment whether IP spoofing (for hiding country of origin) is
> common? Seems quite unlikely - at least at the current state of things.
> Is it even possible to tell (at the firewall interface?)
>
> BillK

I think that for hiding country of origin by IP spoofing is quite useless, at
least on the Internet (It might work on a single subnet, or if you pretend to be
another IP in your subnet, and then switches complicate it as well...)

AFAIK, you can't actually connect to a server with a spoofed IP, since the
server will send the reply packets to the spoofed IP, which will either drop
them or tell the server it doesn't want them.

Spoofed IPs are only good if you want to flood a server with them and not have
the admin know where they came from (not easily, anyway).

However, firewalls that automatically blacklist IPs that do weird things can be
exploited. Lets say you have connection rate limiting on your SSH port. I can
send your firewall spoofed packets that contain your IP, have it rate limit my
spoofed packets.

And then you can't connect. Not good...

Anyway, about hiding country of origin - its usually done using proxies. There
are many open proxies out there...

- --
[Name ] :: [Matan I. Peled ]
[Location ] :: [Israel ]
[Public Key] :: [0xD6F42CA5 ]
[Keyserver ] :: [keyserver.kjsl.com]
encrypted/signed plain text preferred

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDRPpJA7Qvptb0LKURAsdQAKCDM4797OODEaG4oZrh6ngY4MqU9wCfTJ/r
pgkv/3N54kfgGt7HqXvki7E=
=m21U
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
On Thu, 2005-10-06 at 13:19 +0300, Matan Peled wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> William Kenworthy wrote:
> > Can anyone comment whether IP spoofing (for hiding country of origin) is
> > common? Seems quite unlikely - at least at the current state of things.
> > Is it even possible to tell (at the firewall interface?)
> >
> > BillK
>
> I think that for hiding country of origin by IP spoofing is quite useless, at
...
Thanks, good description.

BillK

--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Matan Peled said the following:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> William Kenworthy wrote:
>
>>Can anyone comment whether IP spoofing (for hiding country of origin) is
>>common? Seems quite unlikely - at least at the current state of things.
>>Is it even possible to tell (at the firewall interface?)
>>
>>BillK
>
>
> I think that for hiding country of origin by IP spoofing is quite useless, at
> least on the Internet (It might work on a single subnet, or if you pretend to be
> another IP in your subnet, and then switches complicate it as well...)
>

I think it depends on your purpose. It is easy to get around, but
blocking whole ranges based on country could help cut down on the
vulerability scans that can be so annoying. Our country does no
business with China, yet various subnets are frequently scanned from
addresses originating there. Blocking those ranges would cause most of
them to move on. It is likely that you already block whole invalid
subnets in your firewall rules anyway.
--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Attached are my scripts I generate in a cron job to block China and
Korea if anyone is interested. I've observed the CIDRs to these
countries change so it might be a good idea to have semi-recent copies.

Brian

On Thu, 2005-10-06 at 15:02 -0600, Kirk Hoganson wrote:

> Matan Peled said the following:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > William Kenworthy wrote:
> >
> >>Can anyone comment whether IP spoofing (for hiding country of origin) is
> >>common? Seems quite unlikely - at least at the current state of things.
> >>Is it even possible to tell (at the firewall interface?)
> >>
> >>BillK
> >
> >
> > I think that for hiding country of origin by IP spoofing is quite useless, at
> > least on the Internet (It might work on a single subnet, or if you pretend to be
> > another IP in your subnet, and then switches complicate it as well...)
> >
>
> I think it depends on your purpose. It is easy to get around, but
> blocking whole ranges based on country could help cut down on the
> vulerability scans that can be so annoying. Our country does no
> business with China, yet various subnets are frequently scanned from
> addresses originating there. Blocking those ranges would cause most of
> them to move on. It is likely that you already block whole invalid
> subnets in your firewall rules anyway.
RE: [OT?] automatically firewalling off IPs [ In reply to ]
The intent wasn't to be 100% secure. It was to really slow down the script
kiddies that where clogging my server logs.

As for IP spoofing. Spoofing an IP packet source address is really easy,
which is why blocking DDoS attacks can be difficult. However, if you want to
have an actual two-way conversation with a computer you have to find a third
host that supports loose source routing (any older windoze box will do).
Most infrastructure routers on the net drop/block packets with source route
options so spoofing the source IP of a TCP conversation is not generally
practical over the internet.

-Tad

> -----Original Message-----
> From: Matan Peled [mailto:chaosite@gmail.com]
> Sent: Thursday, October 06, 2005 1:14 AM
> To: gentoo-security@lists.gentoo.org
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tad Glines wrote:
> > These rules only block out the offending IP. All others remain un-
> blocked.
>
> IP spoofing. It isn't that far fetched, really...
>
>
> - --
> [Name ] :: [Matan I. Peled ]
> [Location ] :: [Israel ]
> [Public Key] :: [0xD6F42CA5 ]
> [Keyserver ] :: [keyserver.kjsl.com]
> encrypted/signed plain text preferred
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDRNy9A7Qvptb0LKURAhauAJ9eAx9RhXOGfWz2h6BX122ULW1JGgCfTEyT
> v+4I9OQxcEWAuuqYenD+ejk=
> =PQtc
> -----END PGP SIGNATURE-----
> --
> gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list
RE: [OT?] automatically firewalling off IPs [ In reply to ]
On Thu, October 6, 2005 7:37 pm, Tad Glines said:
> Most infrastructure routers on the net drop/block packets with source
> route options so spoofing the source IP of a TCP conversation is not
> generally practical over the internet.

To be sure, drop source-routed packets at your own firewall too. Don't
rely on "most" infrastructure to do it for you.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

--
gentoo-security@gentoo.org mailing list
Re: [OT?] automatically firewalling off IPs [ In reply to ]
Eric Paynter wrote:
> On Thu, October 6, 2005 7:37 pm, Tad Glines said:
>
>>Most infrastructure routers on the net drop/block packets with source
>>route options so spoofing the source IP of a TCP conversation is not
>>generally practical over the internet.
>
>
> To be sure, drop source-routed packets at your own firewall too. Don't
> rely on "most" infrastructure to do it for you.
which is best way to do so, then? i'd use sysctl.conf for this:

# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0

# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0

is there any better?

regards,
Dennis
--
gentoo-security@gentoo.org mailing list

1 2  View All