Sounds good!! > i have considered the these aspects : > 1. source address verification (spoofing) Yes this is a must. Edit your /etc/systctl.conf file and change this line: net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1 Then run "/sbin/sysctl -w". Be sure that it is enabled: cat /proc/sys/net/ipv4/ip_forward Also, in your firewall rules, add a rule that will log attempts to spoof your ip address. > 2. strict forward chains based on address > 3. trusted to anywhere is MASQed, direct forwarding is allowed only between > internet and dmz Explicitly deny all incoming requests and forwarding sound really good. > 4. strict control on ports for dmz and trusted. Are 2, 3, and 4 basically the same thing? Are you going to have specific services on both your internal trusted hosts and your dmz available for the public? -- duane -- GnuPG Public Key: http://sukkha.homeip.net/pgp.html -- Fun reading: 8-) http://linuxtoday.com/search.php3?author=Duane:Dunston ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
