Re: ebtables and anti-spoofing rules not working 100%?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tomasz Chmielewski a écrit :
> On 30.08.2010 20:14, Pascal Hambourg wrote:
> 
>>> With these rules, I'm not able to communicate (i.e. ping) with other
>>> hosts in the same subnet, except the gateway (although this was the same
>>> with my previous rules, I think).

I am not very experienced with ebtables, so maybe I missed something. I
quickly tested these rules with two hosts and they seemed to work as
expected.

>> Of course these rules are just a part of the ruleset. Did you do the
>> same for all other bridge ports and hosts in the subnet ?
> 
> No, I did not.

Communication is two-way. The rules I suggested accept only one way. The
other way depends on the rest of the rules.

> So even if it's blocked on one bridge, rogue MAC/IP can still "get 
> outside" and interfere with other bridges/guests?

That would imply that the host is connected to multiple bridges. Of
course each bridge is independent.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux