On Tue, Apr 07, 1998 at 10:24:42PM -0500, Manoj Srivastava wrote:
> Hi,
> >>"David" == David Welton <[EMAIL PROTECTED]> writes:
>
> David> If we won't even set a default prompt, what business do we have
> David> doing things like:
> [Setting up IP spoofing protection...]
>
> Well, maybe we are closer to achieving a consensus about what
> one should do wrt ip spoofing, and one does not seem to come to an
> consensus about prompts.
Good point. I still feel that it is missleading, or at the very
least, not detailed enough.
The script tells us:
echo "Setting up IP spoofing protection."
but what it does is:
# deny incoming packets pretending to be from 127.0.0.1
and
# deny incoming packets pretending to be from our own system.
but only if you uncomment it.
I think that we should at the very least be a bit more descriptive of
what we are doing:
if [ -e /proc/ip_input ]
then
echo "Denying incoming packets with spoofed address 127.0.0.1"
fi
Especially since many people will still recompile their kernels and
possibly not realize that this feature has been disabled. I think a
phrase such as the above is a bit more honest with hour users. To
many new users who have heard of the advanced and stable networking of
linux, 'spoofing protection' might mean any number of things. I think
we should be clear about this.
Incidentally, if we are decided to put this sort of thing in, it might
not be a bad idea to set up filters against spoofed packets going
*out* of the computer, to thwart attempts by people who have installed
linux as a quick way to launch an arsenal of nasties against other
people on the net.
I'd prefer to just see the whole thing commented out though...
Ciao,
--
David Welton http://www.efn.org/~davidw
Debian GNU/Linux - www.debian.org
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
