I don't understand why you need to add the router's external address.
What is loopback spoofing? How does it break security?
What are unusual addresses?
Jon
-------------------------------------------
Andreas Greulich said:
<snip>
The first line(s) protect against spoofing of internal addresses (I think
one should also add the routers own external IP-address, which often
is assigned by the internet provider and is not an address of the local
subnet - but I'm not 100% sure if routers send packets to themselves
and thus such a filter would block something - maybe somebody can comment about
that?), the second line protects against loopback spoofing; the final
lines wouldn't be really needed, but I think it's wise removing packets
that claim to be from unusual addresses or that go to unusual addresses,
like to 127.0.0.1 or coming from 0.10.10.10 or whatever... who knows
if this would for example crash some implementations? In this sense,
more lines might be added, and maybe a complete set of such default
filters can be compiled? Just a small suggestion to cert *hint hint*.
|
|
