On Fri, 15 Aug 2008, Grant Taylor wrote:
If you are worried about someone else spoofing an IP in your recent list,
look in to the --rttl option to have the recent list remember the TTL values
of packets and require them to be the same. This way if some jerk off who is
more hops away from you is trying to pretend to be you, his traffic will
appear to be at a different TTL than yours. This is not fool proof, but it
will sure help reduce the risk of exposure that you are referring to.
Thanks, Grant.
I don't think any spoofing is required. I had in mind someone who had
gained access to my local network (not simple, but not out of the
question) and who was essentially pretending to be a printer by sending
packets from his port 161 immediately following a cups broadcast. I'm
not worried about people without access to the local network because
they wouldn't see the broadcast that opens the "recent" time window.
Am I fussing over nothing here? Is it clear that much harm can be done
by getting upd packets through my firewall to arbitrary high numbered
ports? Denial of service is probably not a big issue because of the
short time window.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
