Wade
David Coe wrote:
^chewie <chewie@wookimus.net> writes:> The linking rule for the inet-if is found in the 'input' chain:
> ipchains -A input -d <inet_ip_addr> -j inet-if
>
> The first rule of the inet-if chain is to DENY any input on interfaces
> other than the Internet interface (in this case eth1).
> ipchains -A inet-if -i ! eth0 -j DENY -l
>
> Now, this seems very logical, but I get the following type of message
> quite often:
> Jan 26 09:15:42 mirax kernel: Packet log: inet-if DENY lo PROTO=6
> 209.98.238.114:1680 209.98.238.114:25 L=60 S=0x00 I=25925 F=0x4000
> T=64 SYN (#1)Looks like you tried to send yourself mail, or more likely a cron job
did. Either change those to use 'localhost' as the address for your
local smtp Mail Transfer Agent, or add a rule (as you suggest below)
to allow input for your external IP address to also come from the lo
interface.(lo is used by processes running on your own machine, even for
your addresses other than 127.0.0.1)> Should I
> create a chain to allow lo interface access to all of my other interface
> IP's.
>
> ipchains -I inet-if 1 -i lo -s <inet_ip_addr> -j ACCEPT -lI often see rules that start with:
ipchains -A input -j ACCEPT -i lo
ipchains -A output -j ACCEPT -i loto accept anything coming in via or going out via the 'lo' interface,
on the assumption that it has to have been created locally. I don't
*know* whether that's safe; I have no knowledge with which to
challenge the assumption, but it's nice an clean. (Anybody else
know?) Your suggestion is better (more restrictive), so I'd go with
that, at least until you find yourself creating too many of them.--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- Wade Burgett http://www.burgettsys.com