On Sun, 21 Oct 2007 07:31:58 +0300, Al Boldi said: > > Well, for example to stop any transient packets being forwarded. You could > > probably hack around this using mark's, but you can't stop the implied > > route lookup, unless you stop it in prerouting. > > Basically, you have one big unintended gaping whole in your firewall, that > could easily be exploited for DoS attacks at the least, unless you put in > specific rules to limit this. OK, the light bulb just went on... ;) We actually *do* have an issue with the flip side of that - it's a frikking pain to make packets that show up on eth0 with a destination of 127.0.0.1 go away un-noticed - or at least I'm assuming it's the flip side of the same issue.
Attachment:
pgpxVV9NrhNMR.pgp
Description: PGP signature
