> AragonX wrote: > > > I'm afraid someone will spoof the IP addresses of the internal network > > to bypass this security measure. I don't see how that's possible. Given the following: M - malicious hacker at address M W - webserver I - internal network machine M will send the following packet: M -> SRC I:1234 DST W:80 SYN (ie. establish a connection) Assuming the packet makes it through, W will then respond: W -> SRC W:80 DST: I:1234 SYN ACK But this will go to I, NOT back to M. I will get this packet and will drop it since no connection is actually being made. Even if M can guess the TCP sequence numbers to "fake" a connection, it still a one-way connection where M can send packets to W, but W cannot send packets back to M (since W thinks they're coming from I and sends its reponses back to I). -spc --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|