[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Anyone studying for Cisco certs?
looks like it is just a loop variable for the multifile substitution.
> What does the for f do?
>
> On Fri, 2003-05-16 at 11:05, Richard Fifarek wrote:
> > On Fri, 16 May 2003 fiaid@quasi-sane.com wrote:
> >
> > > That was a massively simplified explaination of the need for IP Spoof
> > > checking.
> >
> > So that leads to the obvious question, how does one do this with
> > Linux/IPTables/IPChains?
> >
> > Direct quote from IPChains Howto (applies to IPTables as well):
> >
> > "The best way to protect from IP spoofing is called Source Address
> > Verification, and it is done by the routing code, and not firewalling at
> > all. Look for a file called /proc/sys/net/ipv4/conf/all/rp_filter. If this
> > exists, then turning on Source Address Verification at every boot is the
> > right solution for you. To do that, insert the following lines somewhere
> > in your init scripts, before any network interfaces are initialized:
> >
> >
> >
> > # This is the best method: turn on Source Address Verification and get
> > # spoof protection on all current and future interfaces.
> >
> > if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
> > echo -n "Setting up IP spoofing protection..."
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 1 > $f
> > done
> > echo "done."
> > else
> > echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
> > echo "CONTROL-D will exit from this shell and continue system startup."
> > echo
> > # Start a single user shell on the console
> > /sbin/sulogin $CONSOLE
> > fi
> >
> >
> >
> > If you cannot do this, you can manually insert rules to protect every
> > interface. This requires knowledge of each interface. The 2.1 kernels
> > automatically reject packets claiming to come from the 127.* addresses
> > (reserved for the local loopback interface, lo).
> >
> > For example, say we have three interfaces, eth0, eth1 and ppp0. We can use
> > ifconfig to tell us the address and netmask of the interfaces. Say eth0
> > was attached to a network 192.168.1.0 with netmask 255.255.255.0, eth1 was
> > attached to a network 10.0.0.0 with netmask 255.0.0.0, and ppp0 connected
> > to the Internet (where any address except the reserved private IP
> > addresses are allowed), we would insert the following rules:
> >
> >
> >
> > # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
> > # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
> > # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
> > # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
> > #
> >
> > This approach is not as good as the Source Address Verification approach,
> > because if your network changes, you have to change your firewalling rules
> > to keep up.
> >
> > If you are running a 2.0 series kernel, you might want to protect the
> > loopback interface as well, using a rule like this:
> >
> >
> >
> > # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
> > #
> > "
> >
> >
> > --
> > Richard H. Fifarek
> > rfifarek@silug.org
> >
> >
> >
> > -
> > To unsubscribe, send email to majordomo@silug.org with
> > "unsubscribe silug-discuss" in the body.
>
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>
--
Tighe Schlottog workape fiaid
"Nothing is too cruel if it is funny enough."
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.