[Gllug] iptables - a quick question
itsbruce at uklinux.net
itsbruce at uklinux.net
Thu Nov 29 13:41:52 UTC 2001
On 11/29/01, 1:01:25 PM, tet at accucard.com wrote regarding Re: [Gllug]
iptables - a quick question :
> As far as I'm aware, yes, a packet with a 127.0.0.1 source address will
> probably route fine across the internet. I doubt many routers will even
> look at the source address unless explicitly configured to do so.
> Note that in addition to 127.0.0.1, you should consider all RFC1918
> address that you're not using to be spoofed. Thus if your network uses
> 192.168.1.0/24, then packets from 10.0.0.0/8 are bogus, as are packets
> from other 192.168 subnets.
Indeed. And where you have a proper lan behind your firewall you should
also block outgoing packets with spoofed source addresses (i.e. not lan
addresses). We have 3 external connections (leased line, ISDN, ADSL),
each with it's own fw/router which connects to a central gateway box
(fw/router). The gateway router thus has 4 network interfaces (lan plus
3) and it has rules to block spoofed addresses on all of them. Cause if
someone gets in (or you have a malicious employee on the inside) you also
want to limit the damage they can do going out again.
Any decent network administrator is too paranoid to function in human
society;)
--
Bruce
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list