Re: Purpose of self-referential rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 26, 2003 at 09:03:58AM -0500, Joel Newkirk wrote:
> On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> > I've been experimenting with gShield trying to learn the ins and outs
> > of iptables.  One of the rules is generates is:
> >
> > iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> > ACCEPT
> >
> > The source and dest are correct for my internal network, and eth1 is
> > the internal net.  My question is, when would the firewall ever see a
> > packet that could possible match this?
> >
> 
> What's the IP of eth1?  This is the INPUT chain, so it's for traffic 
> targeted at the firewall box itself.  Having a destIP listed with a /24 
> is a little odd, though, unless you are DHCP assigned IP or some such 
> where it won't know the IP when the rule is generated, or it may change.

The eth1 interface has a statically assigned address of 192.168.6.1.
Another respondent mentioned that it's only use (as INPUT rule) would
be allow traffic directly to the firewall.  DHCP is used to assign
addresses to windows clients on this network.  In any case, it seems a
little weak to allow clients full access to the firewall - way too
open.

I suppose I should try removing the rule and seeing if anything
breaks.

thanks all,
Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux