On Thu, Aug 16, 2007 at 02:54:16PM +0200, Izak Burger wrote: > > does it not cover the case of packets arriving at eth0 spoofed as > > from 127.0.0.1 ? > > Right you are, that slipped my mind.
I asked because I don't remember and I really can't be bothered to check. These things are tricky and life is short. > I seem to recall that earlier versions of debian had rp_filter default > to 1 (I see sarge still has this, you set spoofprotect=yes in > /etc/network/options, and afaik it defaults to yes). > > I agree with the rest of the sentiment on the list though. I like > lean installs. I like to use a product called "firehol" to build my > (admittedly very simple) firewalls, but I will never advocate that it > be installed by default. I'd absolutely hate it if someone forced me > to install shorewall because they think I need to be protected from > myself. I think that is what most people are trying to say. All I'm saying is, would it be possible to have a single simple option that users could *elect* to take, that wasn't the default, that wasn't bending anyones life out of shape, marked "Novice User" or something :-) Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
