On Tue, 17 Jun 2003, Simon Kirby wrote: > On Tue, Jun 17, 2003 at 01:36:35PM -0700, David S. Miller wrote: > > > I have no idea why they do this, it's the stupidest thing > > you can possibly do by default. > > > > If we thought it was a good idea to turn this on by default > > we would have done so in the kernel. > > > > Does anyone have some cycles to spare to try and urge whoever is > > repsponsible for this in Debian to leave the kernel's default setting > > alone? > > Sure, I can do this. But why is this stupid? It uses more CPU, but > stops IP spoofing by default. Specific firewall rules would have to be > created otherwise. And the overhead only really shows when the routing > table is large, right? Personally I think rp_filter by default is the only good choice (security/operational-wise). It's typically not useful when you have a lot of routes, though.. but as the 99.9% of users _don't_, it still seems like a good default value. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
