|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Sounds good!!
> i have considered the these aspects :
> 1. source address verification (spoofing)
Yes this is a must. Edit your /etc/systctl.conf file and change this
line:
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
Then run "/sbin/sysctl -w". Be sure that it is enabled:
cat /proc/sys/net/ipv4/ip_forward
Also, in your firewall rules, add a rule that will log attempts to spoof
your ip address.
> 2. strict forward chains based on address
> 3. trusted to anywhere is MASQed, direct forwarding is allowed only between
> internet and dmz
Explicitly deny all incoming requests and forwarding sound really good.
> 4. strict control on ports for dmz and trusted.
Are 2, 3, and 4 basically the same thing? Are you going to have
specific services on both your internal trusted hosts and your dmz
available for the public?
--
duane
--
GnuPG Public Key: http://sukkha.homeip.net/pgp.html
--
Fun reading: 8-)
http://linuxtoday.com/search.php3?author=Duane:Dunston
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
[Home] [Fedora Announce] [Linux Crypto] [Kernel] [Netfilter] [Video for Linux] [Bugtraq] [USB] [Network Security] [Fedora Security]
|
|