martin f krafft wrote:
also sprach Martin G.H. Minkler <dukeofnukem@gmx.net> [2004.10.21.1345 +0200]:
Although it is hardly imaginable that someone <tm> manages to spoof the interface match, I wanted my rules as tight as possible thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it would naturally all be solved if I refrained from using variables and resorted to -i ppp0 instead.Why do you want your rules to be as tight as possible? While I fundamentally agree with this approach, I don't really see an added value for limiting the destination address.
The basic idea was to double-latch things, if one criterium could be spoofed the other would still hold. When it comes to a pppoe connection the single IP and gateway provided by the ISP certainly limit the probability of any of that happening, on the other hand I have seen bad setups in which a LAN and a gateway with just one NIC were sharing a switch - filtering $DEV_INET would mean filtering $DEV_LAN at the same time. Well, looks like I still have to think up a situation where this rule would provide any additional protection though ;-)
You do know that there are plenty firewall scripts for iptables already, right?
Sure, I just like fiddling with things under the hood, messing them up and putting them back together ;-) IMHO with a bit of knowledge it is sometimes much easier to quickly act upon tsunamis of worms sweeping through a LAN from a few infected M$-boxes. Dropping their MAC-adresses so they can't bug the outside world is often more a question of speed than comfortable configuration (and eventually necessary stop/start steps).
For quick and easy setups I enjoy shorewall very much. best regards Martin