Hi Kurt
I copied your ipchains firewall from SecurityPortal. I ve got a question about Anti Spoofing. You've done it like this: # ANTI-SPOOFING ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0.0.0/0
First question: Do spoofers use IP Adresses only of private IP ranges?
No. But these IP's are non routed internal networks. You should never ever see them coming in over the Internet, hence blocking them is a good idea. Attackers can spoof from any address, some of which you can safely block.
Second question:
Where is the difference to : echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter
That prevents things like: network10.0.0.*-10.0.0.1_eth0_server_eth1_192.168.0.1-network192.168.0.* thus if packets labled as from 10.0.0.* come in on eth1 the server goes "hey......... that ain't right! 10.0.0.* is on eth0!". If EVERY machine and router on the Internet did this packet spoofing would be a non issue. Of course that'll never happen.
(frankly I don't know exactly what this does, I've read this line in suse-security mailinglist one month ago)
Controlling access as much as possible is the idea. For example if you don't need to talk to university networks you can firewall them, which blocks a lot of attackers (univeersity networks are a favorite place to attack from).
Thank you Philipp
You may applaud at will. Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/