From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jeffrey B. Ferland" Date: Tue, 13 Dec 2005 15:46:39 +0000 Subject: Re: [LARTC] Some questions Message-Id: <8B21CCE6-493E-49BC-B9E8-4E4705F88361@storyinmemo.com> List-Id: References: <5c6851530512130443j3a4ac990l59c6ac7552557966@mail.gmail.com> In-Reply-To: <5c6851530512130443j3a4ac990l59c6ac7552557966@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On Dec 13, 2005, at 7:43 AM, Robb Bossley wrote: > Anyways, I have two questions related to the use of iptables. > > 1. I read on a post somewhere that it is smart to put the following > two rules at the end of one's iptables ruleset: > iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset > iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with tcp-reset > The reasoning was that it would not look like a software firewall, but > rather would look like a machine that had no open ports. Does this > sound reasonable? What would all of you do? > I only have one comment about that.... reject udp packets with a tcp reset? I think that would look more like a very inventive implementation of tcp/udp over ip ;) OK, second comment: it really depends on what you want your box to appear as. > 2. I also read on some website that it is important to use this line > in the setup for iptables: > echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter > What does this do (it said something about spoofing, but I did not > understand), and is it necessary? It ensures that you don't generate "martian packets." If your ip is 10.0.0.1, your interface will only spit out packets with that ip address, and silently drop the rest. -Jeff SIG: HUP _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc