[clug] Firewall rules for CentOS 4.4
Alex Satrapa
grail at goldweb.com.au
Mon Mar 12 00:31:07 GMT 2007
On 10/03/2007, at 18:10 , Ben wrote:
> I thought that by having separate NICs on separate networks, each with
> their own subnet would address this issue, but if someone sets up a
> 192.168.2.x address on the same network as eth0 (and anyone could do
> this), I was told there might be a possiblity of them doing something
> to the NFS share intended for the 192.168.2.0/24 subnet.
Some systems will have a file /etc/network/options which contains a
line:
spoofprotect=yes
Setting that to "yes" will turn on the "spoof protection" feature
that Sam mentioned.
Alternately, there is a proc file system file you can frob /proc/sys/
net/ipv4/conf/all/rp_filter (ie: "echo 1 > /proc/sys/net/ipv4/conf/
all/rp_filter" will do the job better than any number of ip_tables
rules).
There is also an "rp_filter" file in the directory for each
individual interface. Thus /proc/sys/net/ipv4/conf/eth0/rp_filter
and /proc/sys/net/ipv4/conf/eth0/rp_filter give you fine-grained
control.
Do you want to know more? Visit http://www.google.com/search?
q=rp_filter
More information about the linux
mailing list