Hello, Scott Mcdermott a écrit : > > I encountered a system today with two attached > networks, one public and the other RFC1918. The box > had ip_foward=1, FORWARD chain empty, policy ACCEPT. > rp_filter was set on both the interfaces. > > Now if I were somewhere off the public interface, but > many hops away, there is no possible way to get packets > to the RFC1918 side of the box is there? Because I > have no way to actually route the packets to the > gateway with destination addresses on the far side. So > actually this box is safe from malicious activity, even > though there is an ACCEPT policy on FORWARD and it's > set with routing enabled. Is this correct? No, it is wrong. If all the routers on the path are compromised or misconfigured, they could forward such packets to the box. Unlikely ? Yes. Impossible ? No. Not to mention any IP-IP encapsulation tunnel that would allow the transport of a private packet over the public internet. Do not have your security rely on someone else. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
