Hello, Administrator wrote:
This may be a stupid answer, but isn't it easily possible to set up the interfaces (or firewall, or both) so they reject source IP addresses in the wrong I/F? Or am I missing the point?
Just drop packets coming in the external interface that claim to have an IP of your internal network.
I mean, if your local network has ips in the 192.168.1.0 range, and eth0 is your external interface, eth1 your internal interface, then an incoming connexion coming on the external interface (eth0) with an ip in the 192.168.1.0 range is clearly spoofed. Just drop them. But that's REALLY a standard security feature to set up a firewall like that. Then you can distinguish people with their IPs in apache's configuration. But if there's a security breach, it'll be your firewall's fault, not apache's.
-- Jean-Christophe Montigny Responsable Commission Web, Association Planètes Responsable serveurs assoces.com, Association Planètes Etudiant de deuxième année à Grenoble Ecole de Management Majeure Conseil en Organisation des Systèmes d'Information
begin:vcard fn:Jean-Christophe Montigny n:Montigny;Jean-Christophe org;quoted-printable:Association Pl@n=C3=A8tes adr;quoted-printable:;;12, rue Pierre S=C3=A9mard;Grenoble;FR;38000;France email;internet:jcm@xxxxxxxxxxx title:Responsable Com Web x-mozilla-html:FALSE url:http://planetes.assoces.com/ version:2.1 end:vcard
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|