|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Macok (martin.macok
UNDERGROUND.CZ)Date: Tue Mar 06 2001 - 16:05:17 CST
On Tue, Mar 06, 2001 at 01:34:18PM +0300, 3APA3A wrote:
> I believe solution for this problem may be something like
>
> ipfw add allow all via lo*
> ipfw add deny all to 127.0.0.0/8
>
> if you want this behavior to be changed.
(In case Linux 2.4 ''suffer'' ...
I had no time to test it but others (Kyle Sparger) claimed that)
In netfilter/iptables (linux 2.4) language:
### ALLOW EVERTHING FROM lo AND DISABLE EVERYTHING ELSE TO 127.0.0.*
iptables -A INPUT -i lo -j ACCEPT
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -j DROP
OR similar strategy:
### DISABLE EVERYTHING TO 127.0.0.* NOT COMING FROM lo
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -i ! lo -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
I vote for 'Strong ES Model' by default (especially for linux as it
becomes often installed by clueless beginners) and there is no
argument for making 'Weak ES Model' default. Including the fact that
almost no current Security-HOWTO's/Firewall-HOWTO's/Networking-HOWTO's
don't discuss that topic ...
Have a nice day
--
Martin Mačok
underground.cz
openbsd.cz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]