Re: Automatic forwarding to own interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>That's a "normal" Linux behaviour. Linux answers packets destined to any
>of its own IPs own any interface, as long as your INPUT filtering rules
>allows it. You can set something like :
>
>	iptables -A INPUT -d 192.168.1.5 -i ! eth1 -j DROP
>	iptables -A OUTPUT -s 192.168.1.5 -o ! eth1 -j DROP

Hmm... I was afraid this was the case.

So in the common small scale setup with one box acting as router, firewall and internal web and smtp server, this is an absolute must. Or your "internal" web and smtp services will in fact be open to anyone.

So what is the point in configuring daemons to listen only on specific addresses?

This is probably a surprise to some, as it is to me. Quite a few firewall packages and setups miss this point.

Simon



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux