Package: procps Version: 1:3.2.7-8 Tags: patch
There is a long-standing bug in the kernel documentation, which is still present in 2.6. The sysctl.conf file shipped with Lenny (and with Etch for that matter) duplicates the bug. To protect a system against routing errors, rp_filter should be 1. To protect a system against IP spoofing attacks, it should be 2. A more complete explanation can be found at: http://lists.netfilter.org/pipermail/netfilter/2000-September/005400.html The following patch fixes the problem with sysctl.conf: --- sysctl.conf 2008-04-08 08:50:18.000000000 +1000 +++ sysctl.conf.NEW 2008-09-11 13:55:46.000000000 +1000 @@ -15,8 +15,8 @@ # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks -#net.ipv4.conf.default.rp_filter=1 -#net.ipv4.conf.all.rp_filter=1 +#net.ipv4.conf.default.rp_filter=2 +#net.ipv4.conf.all.rp_filter=2 # Uncomment the next line to enable TCP/IP SYN cookies #net.ipv4.tcp_syncookies=1 bfn, John -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
