2006. május 23. 10:06, Rolf Kutz <[EMAIL PROTECTED]> -> debian-security@lists.debian.org,: > * Quoting LeVA ([EMAIL PROTECTED]): > > > iptables -A INPUT -i lo -j ACCEPT > > > iptables -A OUTPUT -o lo -j ACCEPT > > > > But if one can spoof 127.0.0.1, then one can spoof anything else, so > > creating any rule with an ip address matching is useless. No? If I set up > > my firewall to accept only my local network (eg. -s > > 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone > > can spoof that too. So what's the point of creating rules? :) > > The script under scrutiny was intended for a > laptop. A router or firewall setup is something > different and should not route traffic with > spoofed addresses. rp_filter should catch this > easily, if you can use it. If not, an IP-based > rule is ok, IMHO.
So sticking with the smtp example, if I have enabled rp_filter, then does it matter whether I'm using this: iptables -A INPUT -p tcp -i lo --dport 25 -j ACCEPT or this: iptables -A INPUT -p tcp -s 127.0.0.1 --dport 25 -j ACCEPT Daniel -- LeVA
