On Wed, 2008-10-29 at 15:00 +0100, Julien Vehent wrote: > Hi, > > On Wed, 29 Oct 2008 14:20:36 +0100, Pierre LEBRECH > <pierre.lebrech@xxxxxxxxxxx> wrote: > > Hi, > > > > It seems that even if I drop some INPUT packets with iptables, tcpdump > > still sees these packets arriving on the ethernet interface. > > > > Could anybody explain me a bit about this? > > The pcap driver catch the packet before it's processed by netfilter. > This is a known issue that has even been used in a rootkit PoC to > communicate with the rootkit before the firewall drops the packet. You may call it a "known issue", I'd called a very useful and desirable feature for debugging network packet filters. If you want to protect your machine against this issue, you could simply disable packet sockets, couldn't you? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
