On Wednesday 2011-06-22 06:25, Adishesh M wrote: > >> The two sets certainly can be different (mathematically), so choose >> wisely. Especially since addresses can occur on any interface. > >Currently we are not using DHCP to get IP addresses. This has nothing to do with DHCP. Any malicious host on a particular subnet can emit packets with any desired source address. >we wanted to know the difference between option 1 and option 2 ( >mentioned in the first mail of this mail chain) with respect to >security of the system. As I said before, this entirely depends on the ruleset. Block wide, accept sparingly. Combining -i with -s is obviously a narrower expression than just -s. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
