Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] host.deny and spoofing
On Monday 04 February 2002 12:30, you wrote:
> Mark Ruth wrote:
> > -- Do you really think a router or firewall forwards ips like 127.0.0.1?
>
> yes.
> If some big german ISP route a spoofed packed from a webserver to
> my home firewall, i REALLY think that they forwards ips like 127.x.x.x...
> if you don't belive, i can give you rejects for 192.168.x.x, 10.x.x.x,
> 127.x.x.x and so one ;-)
>
> so, DON'T belive that others will do things for you..

I agree, so many ISPs use default routes, and I've seen routing loops caused
by this in quite well known ones, after networks have been returned to them.
There is also the nasty business of source routes in packets.

Most ISPs take a head in the sand approach and pass the buck on spoofing
issues. Few check your outward bound packets for validity, as it costs time
and money to get right.

It is possible to gain some extra protection, by enabling ident lookup's in
hosts.allow and rejecting any connections, from your internal networks that
fail to be verified. It can't be relied upon to permit access, but a
detected SPOOF is a strong indication that something is wrong.

Rob

< Previous Next >
Follow Ups
References