[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anyone studying for Cisco certs?



looks like it is just a loop variable for the multifile substitution.

> What does the for f do?
> 
> On Fri, 2003-05-16 at 11:05, Richard Fifarek wrote:
> > On Fri, 16 May 2003 fiaid@quasi-sane.com wrote:
> > 
> > > That was a massively simplified explaination of the need for IP Spoof
> > > checking.
> > 
> > 	So that leads to the obvious question, how does one do this with 
> > Linux/IPTables/IPChains?
> > 
> > Direct quote from IPChains Howto (applies to IPTables as well):
> > 
> > "The best way to protect from IP spoofing is called Source Address
> > Verification, and it is done by the routing code, and not firewalling at
> > all. Look for a file called /proc/sys/net/ipv4/conf/all/rp_filter. If this
> > exists, then turning on Source Address Verification at every boot is the
> > right solution for you. To do that, insert the following lines somewhere
> > in your init scripts, before any network interfaces are initialized:
> > 
> > 
> > 
> > # This is the best method: turn on Source Address Verification and get 
> > # spoof protection on all current and future interfaces. 
> > 
> > if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
> >   echo -n "Setting up IP spoofing protection..."
> >   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> >       echo 1 > $f
> >   done
> >   echo "done."
> > else
> >   echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
> >   echo "CONTROL-D will exit from this shell and continue system startup."
> >   echo
> >   # Start a single user shell on the console
> >   /sbin/sulogin $CONSOLE
> > fi
> > 
> > 
> > 
> > If you cannot do this, you can manually insert rules to protect every 
> > interface. This requires knowledge of each interface. The 2.1 kernels 
> > automatically reject packets claiming to come from the 127.* addresses 
> > (reserved for the local loopback interface, lo).
> > 
> > For example, say we have three interfaces, eth0, eth1 and ppp0. We can use 
> > ifconfig to tell us the address and netmask of the interfaces. Say eth0 
> > was attached to a network 192.168.1.0 with netmask 255.255.255.0, eth1 was 
> > attached to a network 10.0.0.0 with netmask 255.0.0.0, and ppp0 connected 
> > to the Internet (where any address except the reserved private IP 
> > addresses are allowed), we would insert the following rules:
> > 
> > 
> > 
> > # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
> > # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
> > # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
> > # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
> > # 
> > 
> > This approach is not as good as the Source Address Verification approach, 
> > because if your network changes, you have to change your firewalling rules 
> > to keep up.
> > 
> > If you are running a 2.0 series kernel, you might want to protect the 
> > loopback interface as well, using a rule like this:
> > 
> > 
> > 
> > # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
> > #
> > "
> > 
> > 
> > -- 
> > Richard H. Fifarek
> > rfifarek@silug.org
> > 
> > 
> > 
> > -
> > To unsubscribe, send email to majordomo@silug.org with
> > "unsubscribe silug-discuss" in the body.
> 
> 
> 
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
> 

-- 
Tighe Schlottog         workape         fiaid
"Nothing is too cruel if it is funny enough."


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.